Episode 259 of The CyberJungle is about 22 minutes long. You can hear it by clicking on the flash player below. The interview with Chester Wisniewski Apple Expert at Sophos Security begins at about 13:30min. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.
To listen to Episode 259 via the flash player:
From the floor of Interop Las Vegas: Chester Wisniewski Apple Expert at Sophos Security
The technical and non-technical press is buzzing over the “discovery” by a forensic researchers Alasdair Allan and Pete Warden. The revelations are not new, but the implications are still very disturbing.
Yesterday, Allan and Warden released a an application that uses an interesting plain-text file on 3G iPhones and iPads. This file contains the geo location of where the device (and presumably it’s owner) has been. The application blots the geo data onto a map, allowed one to see the travels and location of the device, and it’s owner.
The non-technical press has taken this story as a revelation. Both the Wall Street Journal radio report out of the Bay Area (on KSFOAM) and The BBC World Service have been running this story all morning. Alex Levinson is a forensic researcher that has correctly pointed out that work by Allan and Warden did not credit the earlier research done by Alex, and others, in this area. Indeed, in a The CyberJungle posting from the Paraben Forensic Innovator’s Conference (PFIC) in Park City, UT last November, we reported the mountains of data that can be recovered from iOS devices.
The privacy implications of this data becoming available to in a civil lawsuit, or in a criminal matter, are quiet significant. Everything from visits to a mental health provider, a controversial art exhibit, a winery, or a discreet meeting with an ex lover could become open to unwanted scrutiny. It’s difficult to predict how the information regarding someone’s whereabouts could be used to harm an individual in a civil or criminal matter. We already have privacy challenges with the proliferation of closed circuit television (CCTV), and the ability to correlate the data with iOS geo data becomes an enormously powerful investigative tool.
Interestingly, yesterday also saw reports that Michigan law enforcement maybe taking complete “in the field” forensic images of mobile devices from some drivers during routine traffic stops. This revelation should cause any citizen to take a pause, as it has the Michigan ACLU.
What are some of the techniques the average citizen can use to add layers of privacy, and still use a mobile phone, or tablet? We plan more coverage of this story in the next episode of CyberJungle Radio (episode 210), including options to help mitigate these privacy leaks.
Episode 207 of The CyberJungle is about 48 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 26:30 mark.
If you don’t understand this basic cyber crime concept, you better figure it out this week, because there is a large-scale attack underway. The Websense link to the blog posting and video Ira mentioned.
Episode 204 of The CyberJungle is about 39 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 30:30 mark.
To listen to Episode 204 via the flash player:
Interview: Trevor Dietrich, VP and Co-Founder of Bayalink Solutions, on a virtulization app to secure iPads + more. He’s seeking beta testers. Trevor’s Twitter Feed.
Our Take on The Week’s News
A federal district court in New Jersey has decided that a social worker and special education instructor employed by the school board are liable for violating a high school student’sprivacy… after the teacher handed out a poorly-redacted copy of the studen’t psychological evaluation as a teaching tool. Read the story here, or read the court’s decision.
Industrial Espionage at Renault, or poor forensics, or both? Some details in this Economist story.
California’s top utility regulator has given gave Pacific Gas and Electric Co. two weeks to propose a way for customers to opt out of receiving the company’s controversial wireless SmartMeters.
Episode 203 of The CyberJungle is about 53 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 25:30 mark.
This week’s regular episode of The Cyberjungle is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 169 via the flash player:
Sean Paul Correll from Panda Security discusses a survey of small and mid-sized businesses, and discusses what he’s learned about the attitudes and the habits they have when it comes to security.
Read the PandaSecurity report on small and medium sized business security. And Sean-Paul mentioned a free USB anti-malware tool, you may find it here.
Tales from the Dark Web
Fake my traffic - is it a scam, or is it just someone who wants to help you perpetrate a scam?
Our Take on This Week’s News
We hate Google, writ large – Consumer Watchdog has produced a hilarious video taking a jab at Google and Eric Schmidt. Worth watching… and a lot of folks are seeing it since it’s playing on the jumbo tron in Times Square. Schmidt as evil ice cream man offering kids free goodies while taking a body scan from his good humor truck. But we wonder about asking congress to create a “don’t track me” list. That’s like asking the three stooges to clean out the tool shed without hurting each other.
Tales from The Dark Web: Big web traffic means big bucks … but have we uncovered a big Dark Web scam?
Be careful of email messages that appear to come from Symantec products via email. It just might be a scam. See more at Martin Hall’s Blog, The Test Manager
Brian Krebs continues his excellent coverage of the banking Trojans and the people who carry out the attacks. This time the criminals told a money mule that cash stolen from a Catholic diocese was intended for victims of sexual abuse.
Microsoft DLL Flaw New Fixit tool from Microsoft, to be used in conjunction with other mitigation techniques.
Episode 163 is the this week’s full episode of The CyberJungle, posted immediately below. Episode 162 is the su root edition for advanced listeners – material that’s too technical for the radio. The advanced material consists of an interview with Wayne Huang, who did early research that led to the discovery of the drive-by download. Scroll down to the end of this batch of show notes to find it.
This week’s regular episode of The Cyberjungle is 1 hour and 19 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 163 via the flash player:
Wayne Huang is an executive at Armorize, working in Taiwan. His early research led to the discovery of what we now call drive-by downloads. This episode of the Cyberjungle has a 7-minute interview with Wayne, which is a bit more elementary than the 35-minute su root version at the bottom of this set of show notes. The 7-minute interview starts at about 24 minutes into episode 163.
Free Open Source Project to fight drive-by downloads is at Drivesploit.
Tales from the Dark Web
When your patch reminders pop up on your screen automatically, that’s a convenience. When they arrive by email, that’s a scam.
Our Take on This Week’s News
Is Google buying microdrones like the ones in this vide0? And if so, what will Goolge do with them? Seems unclear at this point, but the implications kind of freak us out.
Everyone wants an iPad… we wonder if elected officials are willing to contort financial reality and ignore open meeting law requirements in order to play with an iPad on the taxpayers dime. This USA today report says city councils are buying iPads to save the cost of paper. But they might be buying a whole lot of trouble that will make the paper budget seem trivial.
City of San Francisco’s former network administrator Terry Childs was sentenced to 4 years for locking the city out of its network. He’s been cooling his heels in jail for two years during the trial, and now it looks like he’ll serve about another 6 months with credit for time served. The San Francisco Weekly had the best summary of the case, and seems to be the only media outlet that truly grasps the moral of the Terry Childs story.
Attention merchants and other businesses relying on credit card purchases. PCI 2.0 is coming in October, and will probably become effective in January. Yes, it will require more of you. Here is the current standard. The new standard will require web application logging, and better accountability and tracking of credit card number within the business network.
Apple iPhone Patches have been distributed for devices affected by the jailbreakme flaw. Problem is, the patches work selectively. They do not apply to all devices. Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later. Here’s Apple’s report on the flaw. Jay Freeman (Saurik) has made an unofficial patch for one (CVE-2010-1797) of the two vulnerabilities patched by Apple. It’s available for Jailbroken devices via Cydia, and will work also on the older devices that have not yet received any updates from Apple, plus new devices if you don’t want to use Apple’s update.
Cybercriminals are already gearing up for the holidays, creating booby traps for likely Halloween and Thanksgiving search terms.
Did your shrink leave town for a convention this week? If (s)he is attending the San Diego gathering of the American Psychological Association, you might want to text him or her, and warn about the social networking app the convention organizers have made available. Seems the attendee code on the ID badges double as the log-in codes for the shrink network. Oops… one wrong digit and you can view someone else’s conference registration data.
1. From Steve: Our small business is running rather old PCs. Many of them are over 7 years old, and they take for ever to boot up. We are on a tight budget, we are seeing refurbished PCs with XP and new PCs with Windows7, is it worth the extra money to upgrade to Windows7? Will we get improved security?
A: YES, and your company can purchase refurbished PCs running Windows7. Get the 64 bit version, and upgrade to Office2010, for improved security and productivity.
2. From Malik: We are having a lot problems with our business email server. We are a company with less than 20 employees, but we are spending a lot of money with our IT guy on the server, where the email, and our filesve. He says we should buy a new server. The one we have is about 5 years old. Should we buy a new server, or, should we look at switching to something like gmail?
A: Get a new, smaller file server that runs Windows2008, or (even better) Linux. Buy business-grade email services from a quality firm that offers hosted Microsoft Exchange, or Open Source Zimbra.
3. Andrew: Our employees want to use their own iPads at work. They want to access work files, do email, take notes, and do other tasks. If they want to buy the iPads on their own, what are the risks to our business.
A: Plenty. Ediscovery, loss of business data, are just two. Wait a few months as business-grade alternatives to iPads are released. They are just about to be launched into the market for just your situation.
Episode 162 – su root edition:
This is our unedited edition, featuring a longer and more technical conversation with Wayne Huang of Armorize, discussing his early research that led to the discovery of drive-by downloads The audio file is 35 minutes long.
You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to su root edition (episode 162) via the flash player:
Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below. Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio. The advanced material consists of three conversations from DefCon 18. Scroll down to the end of this batch of shownotes to find it.
This week’s regular episode of The Cyberjungle is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 161 via the flash player:
Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store. He’s found major flaws in these router/firewalls. This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161. Or you can just listen to the interview by going to our conference notes page. Also, here are some links to more information about Craig’s work:
Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident. We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning. There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified. Lamo now denies that he ever had possession of top secret documents. The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.
Our Take on This Week’s News:
The National Science Foundation has a porn problem according to Senator Chuck Grassley. Seems the science guys are passing around porn despite technical measures taken by the agency to block it. Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000. So do the math. This guy makes $290k per year??? WTF!!!
BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?
Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.
We stumbled over the Social Engineering contest at DefCon18. A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info. Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer. The audio file is located about half-way through the story.) Read about the Social Engineering organization here.
The annual session on physical lock security is always a hit. (This year there was more than one.) We attended the presentation by Marc Weber Tobias. His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200 fingerprint biometric, the electronic RFID military lock and even a personal safe. You can see the videos here, demonstrating how the locks were breached.
Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column. The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden. Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.
If we don’t laugh, we’ll probably cry. For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports. Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library? And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities. Duh. Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?
Episode 160 – su root edition:
This is our unedited edition, featuring three interviews straight from DefCon 18. The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.
You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to su root edition (episode 160) via the flash player:
You can hear episode 159 by clicking on the Flash player below, or if your device does not support Flash, you can visit our listening options page for other ways to receive the show. Episode 159 is one hour and 9 minutes long.
Interview #1 – Jeremiah Grossman, CEO of White Hat Security, discovered an odd security flaw in the Apple Safari Browser. Alas, he tried to notify Apple, only to be rebuffed. He posted the story on his blog, and he decided to go public at Black Hat, and just about the time we finished this interview with him, Apple acknowledged the problem. Fix pending. Hear an overview of Jeremiah’s presentation in Episode 159. It’s 11 minutes long, starting about 12 minutes into the show.
Interview #2 – Mickey Boodaei, CEO of security firm Trusteer, has been hard at work on the banking trojan problem, and they’ve got a problem that may help. We discuss it with him in Episode 159. It’s 10 minutes long, starting at 55:00.
Banks have long since stopped moving paper checks from one location to another, preferring the economy of scanning. What if someone broke into the digital repository where they store all those pictures of checks?… Someone did.
Citibank announced today a major flaw in its iPhone/iPad banking app. The app leaves account information on the device. What is this bad? Well, iPhone/iPad/iOS does not support whole disc encryption.
At last month’s Gartner Security and Risk Conference in DC, I sat next to a Senior Executive with one of the larger anti-virus companies. According to this executive, the company wants to make and sell a whole disc crypto product, but Apple will not open its API (application program interface) to support whole disc encryption.
Citi iPhone App
Today’s announcement by Citibank about a flaw in their app, comes as little surprise. While this particular flaw can be fixed with an update, the fact remains: The foundation is sitting on shifting sands. The iOS is first and foremost a consumer media platform. It has a great bright interface, and plays music and videos really well. It has a great eBook reader. But, these devices were not and are not built with security and privacy at their foundation.
When you mistype a word, iOS saves, it, unencrypted. When you use a map, iOS saves it, unencrypted. When info is “erased.” the platform saves it, unencrypted. As a forensic analysis, the iOS is a boon to uncovering information that the owner of the device would be shocked to learn can be discovered.
I am realistic. Many people are gaga for every device Apple makes. To borrow a phrase: “If Apple took a brick and called it an iPhone you would still want it.” For these people, buying a smartdevice is all about being trendy and the purchase is almost all based upon emotions. I doubt that anything they read about poor security on the iOS will change their behavior.
For others, I suggest “Think Different.” Resist the temptation to use an unprotected consumer device for business. Use your iPhone/iPad as a media device, and use Blackberries (with the Blackberry Enterprise Server), for business use. It looks like the industry will release business-oriented slate devices to compete with iPad. That may turn out to be smarter for business use.
Until Apple addresses the underlying security issues in the platform, it’s a safe prediction that we will hear other stories about security flaws hurting iOS users.