Archive for mobile phone security

March 14, 2011 – Episode 204

Posted in Breach, criminal forensics, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , on March 13, 2011 by datasecurityblog

Episode 204 of  The CyberJungle is about 39 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 30:30 mark.

To listen to Episode 204 via the flash player:


Interview

Interview: Trevor Dietrich, VP and Co-Founder of Bayalink Solutions, on a virtulization app to secure iPads + more. He’s seeking beta testers. Trevor’s Twitter Feed.

Our Take on The Week’s News

A federal district court in New Jersey has decided that a social worker and special education instructor employed by the school board are liable for violating a high school student’sprivacy… after the teacher handed out a poorly-redacted copy of the studen’t psychological evaluation as a teaching tool. Read the story here, or read the court’s decision.

Industrial Espionage at Renault, or poor forensics, or both? Some details in this Economist story.

California’s top utility regulator has given gave Pacific Gas and Electric Co. two weeks to propose a way for customers to opt out of receiving the company’s controversial wireless SmartMeters.

The iPhone 4 falls at CanSecWest Pwn2Own Contest, and Blackberry.

Tales From The Dark Web

Vehicle hacking via trojan MP3? Read the story here.


March 7, 2011 – Episode 203

Posted in Breach, Business Continuity, Court Cases, criminal forensics, ediscovery, Exclusive News, Legislation, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , , , , , on March 7, 2011 by datasecurityblog

Episode 203 of  The CyberJungle is about 53 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 25:30 mark.

To listen to Episode 203 via the flash player:


Interviews

Charlie Miller, 3x Pwn2Own “hacking” contest winner stays home; response by Dragos, Founder of CanSecWest . Follow Charlie on Twitter.

Tales From The Dark Web

Exactly what is the “boy-in-the-browser attack?”

Our Take on The Week’s News

Lawsuit accuses Amazon of capturing and sharing customer information without permission by tricking Microsoft Internet Explorer

Google Android in app malware flap, iPad2 security, and Blackberry Playbook running Android apps + better security? Interview on Playbook security Ira Victor mentioned in this segment. You may download the segment, or listen to the conversation here:

Via the flash player:


More mobile security news, Keeping Tabs on Android Smartphone Activity.

Proof once again that disgruntled employees are among the most dangerous cybercriminals… Texas man sentenced after breaching former employer’s network and deleting critical business files.

Wrap

OtterBox Cases for slider Smartphones: Samantha and Ira give a new OtterBox the field test

Feb 15, 2011 – Episode 200

Posted in Conference Coverage, Legislation, Show Notes, The CyberJungle with tags , , , , on February 15, 2011 by datasecurityblog

Episode 200 of  The CyberJungle  is 27 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly- great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interview is about 8 minutes long and it starts at about the 18:25 mark.

To listen to Episode 200 via the flash player:


Interviews

Simple Physical Security – Without the “security system tax/fee.” We talk with Andrew Saldana with SecurityMan

Tales From The Dark Web

HBGary’s exposed for trying to counter-attack Wikileaks, security institute issues rare request related to counter-counter-attack

Our Take on The Week’s News

No man’s personal identity is safe while the legislature is in session

RSA Conference report: CipherCloud, businesses can encrypt data on popular cloud services like Salesforce.com

RSA Conference report: Invincea has a new technology that combines virtual machine browsers with behavior-based malware blocking.

RSA Conference report: Entersect from South Africa has a very interesting twist to 2-factor authentication.

Ira is at RSA San Francisco 2011. Ira will post reports in Conference Notes. Reports sponsored by LogLogic – The IT Data Management company. Meet Ira in the LogLogic booth #828 during Tuesday night’s RSA pub crawl and drink some Travis Smith’s 510 nano-brew, served fresh in the booth.

October 17, 2010 – Episode 181

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Legislation, The CyberJungle, Vulnerabilities with tags , , , , , on October 17, 2010 by datasecurityblog

Episode 181:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 181 via the flash player:


Interview

Jason Miller, patch management expert with Shavlik Technologies, tells us how to deal with the biggest patch release in modern IT history… which took place on Tuesday, October 12.  Jason’s  interview is 8 minutes long, and it begins about 24 minutes into Episode 181.

Tales from the Dark Web

You’ve  heard of  “software as a service”… Now there’s “crimeware as service” –  a convenient way for the bad guys to outsource their criminal acts.

Our Take on This Week’s News

What’s in your medicine cabinet? The Feds and 34 states are putting together a giant prescription drug database so they can review the contents.

What did he know, and when did he know it? At least one IT staffer in the Lower Marion School District waxed fondly about the remote tracking capabilities on the laptops issued to students who later sued the district for spying on them.

Bullying is bad, um-kay? President Obama holds a town hall with MTV viewers, during which he tells them there should be zero tolerance for bullying — cyber or otherwise.

Security tradeoff: caution for coolness – Device Reputation Service Reveals iPhone at Top of Mobile Transaction Fraud Risk.

Your building pass could be more valuable than ever – Some federal employees will see their CACs (common access RFID cards) expanded. They’ll still get the card holder into a building or a computer system. But the cards will be expanded to include to include mass transit fares, debit payment, and ATM functionality… all in one card.

Mixing business and pleasure – Explosive growth of mobile devices leads to security risks as workers use their own devices to store and transmit work data.

Fun finder or stalker tool? The website wheretheladies.at monitors social networking sites to help dudes locate gatherings of women.  But blogger Jason Stamper conducted an experiment that points out the dangers women might face when they publish all the details of their daily lives.

Kudos for baking it in! New version of Opera to have extensions with software code check for security.

August 22, 2010 – Episodes 164 and 165

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, The CyberJungle with tags , , , , , , , on August 22, 2010 by datasecurityblog

Episode 165 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 164 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of an interview with Dr. Richard Boyd, a senior researcher with Georgia Tech Research Institute, on using low-cost graphic cards to brute force passwords.  Scroll down to the end of this batch of show notes to find it.

Episode 165:

This week’s regular episode of  The Cyberjungle  is 1 hour and 18 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 165 via the flash player:


Interview

Joshua Davis is a researcher with the Georgia Tech Research Institute. We discuss the new standards for strong passwords, and the new ease with which passwords can be broken.  The 7-minute interview starts at about 22 minutes into episode 165.

Learn More: Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System

Tales from the Dark Web

If you get a message that looks like it’s from LinkedIn, be extra careful.  There’s a fake one circulating and it may link you to rogueware.

Our Take on This Week’s News

Get your tech out of my trash can – The City of Cleveland is expanding a pilot program which monitors trash cans of city residents via RFID chips embedded in the cans.  Because of a trash-sorting requirement to use separate cans for recycling, city workers are able to monitor how often each household recycles, and decide whether too much time has passed since the recycling cart was last brought to the curb.  If the household is sluggish in its recycling practices, the city will inspect the trash, and can fine the resident.

We’re reading more about automated safety alerts that are supposed to tip off workers to possible problems with industrial systems, and computer malfunctions that cause these features not to work or to be ignored.  Or maybe we’re just noticing these stories more since the gulf oil spill. Now it seems malware may have been  indirectly responsible for an airplane crash a couple of years back.  The report is due out soon after a two-year investigation of a Spain Air jet that crashed because of wing flaps that didn’t get repaired.

We took our eye of the school laptop spyware case for a few months, and missed some developments in the lawsuit against the Lower Marion school District, which has has been swimming in a vat of hot water since it botched a scheme to track missing school-issued laptops, and ended up snapping photos of kids in their bedrooms instead.  There was a second suit filed by another kid whose privacy was invaded.  The expenses related to defending the district is pushing a million bucks, and the insurance company won’t pay. Hello, taxpayers.  And the lawyer for the plaintiffs says he wants his money now.  BTW, the district will roll out policy on Monday for laptop tracking.  Gee, too bad they didn’t do that before they gave the kids laptops loaded up with spyware.

Beware the TapSnake game -  It’s GPS Spyware on Android. Tapsnake and GPS SPY are companion programs developed by a Russian developer based in Texas, Mr. Max Lifshin (“Maxicom”).   Someone posted a link to his resume,  where we discover that he used to work for the Massachusetts Water Resources Authority.

The government-industry partnership – Government agencies aren’t providing business with timely tips about cyberthreats, according to a GAO report. (PDF)

Ira’s Classroom

Easy way to disguise your email address from spammers: http://scr.im

How to free yourself from the prying eyes of Google (Or, recognizing that you can’t be entirely free of Google, take some steps to minimize Google surveillance):

Two Resources: http://safeandsavvy.f-secure.com/2010/08/16/get-google-out-of-your-life/ and http://howto.wired.com/wiki/Un-Google_Yourself

Search engine alternative, excellent as your home page: http://www.StartPage.com

Episode 164 – su root edition:

This is our unedited edition, featuring a longer and more technical conversation with Dr. Richard Boyd of the Georgia Tech Research Institute, about a new threat to common passwords.   Learn More at Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.  The audio file is 25 minutes long.

To listen to su root edition (episode 164)  via the flash player:


August 8, 2010 – Episode 160 and 161 from DefCon 18

Posted in Conference Coverage, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 7, 2010 by datasecurityblog

Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of three conversations  from DefCon 18.  Scroll down to the end of this batch of shownotes to find it.

Episode 161:

This week’s regular episode of  The Cyberjungle  is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 161 via the flash player:


Interview:

Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store.  He’s found major flaws in these router/firewalls.  This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161.  Or you can just listen to the interview by going to our conference notes page.  Also, here are some links to more information about Craig’s work:

Craigs Hefner’s White Paper on this attack

Craigs Hefner’s DefCon18 presentation slides

Craigs Hefner’s Proof-of-Concept code

Tales from the Dark Web:

Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident.  We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning.  There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified.  Lamo now denies that he ever had possession of top secret documents.  The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.

Our Take on This Week’s News:

The National Science Foundation has a porn problem according to Senator Chuck Grassley.  Seems the science guys are passing around porn despite technical measures taken by the agency to block it.  Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000.  So do the math.  This guy makes $290k per year???  WTF!!!

BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?

Apple remote jailbreak flaw. Major Flaw Uncovered in Apple iPhone/iPad/iPod

Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.

We stumbled over the Social Engineering contest at DefCon18.   A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info.  Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer.  The audio file is located about half-way through the story.)  Read about the Social Engineering organization here.

The annual session on physical lock security is always a hit. (This year there was more than one.)  We attended the presentation by Marc Weber Tobias.  His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200  fingerprint biometric, the electronic RFID military lock and even a personal safe.  You can see the videos here, demonstrating how the locks were breached.

Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column.  The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden.  Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.

Adobe plans emergency patch for critical Reader bug

If we don’t laugh, we’ll probably cry.  For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports.  Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library?  And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities.  Duh.  Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?

Episode 160 – su root edition:

This is our unedited edition, featuring three interviews straight from DefCon 18.  The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 160)  via the flash player:


Think Different: Citibank iPhone Risks Banking Data

Posted in Annoucements, Breach, eMail Security with tags , , , on July 26, 2010 by datasecurityblog

Citibank announced today a major flaw in its iPhone/iPad banking app. The app leaves account information on the device. What is this bad? Well, iPhone/iPad/iOS  does not support whole disc encryption.

At last month’s Gartner Security and Risk Conference in DC, I sat next to a Senior Executive with one of the larger anti-virus companies. According to this executive, the company wants to make and sell a whole disc crypto product, but Apple will not open its API (application program interface) to support whole disc encryption.

Citi iPhone App

Citi iPhone App

Today’s announcement by Citibank about a flaw in their app, comes as little surprise. While this particular flaw can be fixed with an update, the fact remains: The foundation is sitting on shifting sands.  The iOS is first and foremost a consumer media platform. It has a great bright interface, and plays music and videos really well. It has a great eBook reader. But, these devices were not and are not built with security and privacy at their foundation.

When you mistype a word, iOS saves, it, unencrypted. When you use a map, iOS saves it, unencrypted. When info is “erased.” the platform saves it, unencrypted.  As a forensic analysis, the iOS is a boon to uncovering information that the owner of the device would be shocked to learn can be discovered.

Some will say, “all devices are like this.” Well, that is just not so. The Blackberry platform was built with security in mind, rather than an after thought. That’s why the UAE government views the Blackberry as a security threat. Not the iPhone.

I am realistic. Many people are gaga for every device Apple makes. To borrow a phrase: “If Apple took a brick and called it an iPhone you would still want it.” For these people, buying a smartdevice is all about being trendy and the purchase is almost all based upon emotions. I doubt that anything they read about poor security on the iOS will change their behavior.

For others, I suggest  “Think Different.” Resist the temptation to use an unprotected consumer device for business. Use your iPhone/iPad as a media device, and use Blackberries (with the Blackberry Enterprise Server), for business use. It looks like the industry will release business-oriented slate devices to compete with iPad. That may turn out to be smarter for business use.

Until Apple addresses the underlying security issues in the platform, it’s a safe prediction that we will hear other stories about security flaws hurting iOS users.

June 26, 2010 – Episode 149

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Report Security Flaws, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 26, 2010 by datasecurityblog

You can listen to Episode 149 by clicking on the flash player below, or go to our listening options page for a list of other ways to receive the show.  Episode 149 is one hour and 15 minutes long.

To listen to Episode 149 via the flash player:


Interviews:

Your employees will use social media whether you like it or not… and our expert says fully20 percent of current business communication is done via social media. So why not take control of the situation, and create ground rules and guidelines, so you’re in charge of how it’s used?  Our interview with Gartner Research Director Andrew Walls is 8 minutes long and starts about 24 minutes into the show. This is an excerpt. We also posted the entire 25-minute interview on our conference notes page, if you’d like to hear it.

In our interview with Ed Rowley of M86 Security, we discuss a new iPhone scam……… The interview starts 61 minutes into the show.

Tales from the Dark Web

Polymorphic attacks are making the lastest drive-by infected web sites mostly invisible to signature-based anti-virus.

Our Take on This Week’s News

iPhone 4 and Motorola Droid X released in the same week.  Guess which phone won the hype war?  The press coverage of the iPhone release centered on the ecstatic throngs of Apple heads waiting all night on the sidewalk outside the stores.  The Android roundup consisted of dry product reviews and analysis of the platform’s future prospects.

Meanwhile smart phone security is a hot topic, and Ira just returned from the Gartner Security and Risk Management Summit, where there was a comprehensive session on the subject.

Speaking of phones… congress is holding hearings on cellphone tracking of citizens by government.

Employers are in denial about the sensitive information that lives on the laptops and smart phones of their employees. Listen to our interview with Kevin Beaver of Principle Logic, who found an interesting gap between perception and reality while he was conducting security audits.  The interview is just over 4 minutes long, taped at the Gartner conference. Look for it on our conference notes page.

Scotland Yard cuffs teens alleged to be participants in the largest English-speaking cybercrime forum in the world.

Lawyers breach medical records during discovery. Anthem spokesperson says, not to worry, the data was only accessible for a short period of time.  Thank goodness!

FBI released information about a new approach to banking attacks with a simultaneous denial of service attack on the account holdder’s phone lines.  Very complicated.

Happy Birthday to George Orwell.  His influence cannot be understated.  He would have been 107 years old on June 25, 201o.

June 12, 2010 – Episode 145

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 14, 2010 by datasecurityblog

You can hear episode 145 of The CyberJungle by clicking on the Flash player below, or go to our listening options page for other ways to listen. Episode 145 is 69 minutes long.

To listen to Episode 145 via the flash player:


Interview Segments:

We talked with Jason Miller from Shavlik about why some businesses are still playing catch-up from the big Patch Tuesday… and about the Adobe Flash flaw that affects just about everyone on the planet.  Check the patch management site for help. The interview starts about 21 minutes into Episode 145.

We also played an interview from earlier this year with David Shroyer from Bank of America.  This is a short excerpt from a longer conversation about the reaction of the financial services industry to the Zeus banking attacks.  The 7-minute segment we aired today  is about the “money mules” who launder cash for cybercriminals.  The mules are generally suckers who fall for the “work at home in your pajamas and make thousands of dollars with your computer” schemes. This interview starts about 56 minutes into Episode 145.

Tales from the Dark Web:

Visitors to adult sites might encounter some naughtiness that has nothing to do with sex. See the BBC story: ‘Shady’ porn site practices put visitors at risk

Show notes:

AT&T web application flaw combines with Apple business model flaw to allow a major hack of iPad user email addresses.  The story was widely told this week. Here’s one version.  There are a lot more angles to this story than the mainstream press has covered.

British Petroleum is in for an e-discovery gusher once the Gulf oil spill litigation begins.  Court orders for documents will follow, and cost of discovery could top $100 million, according to this post.

Adobe Flash and Adobe PDF attack surge.

FIFA 2010 World Cup is inspiring a wave of malicious spam tailored to soccer fans.  Symantec has a good overview of “Crimes Against Football Fans” here.

Google has hired an independent firm to investigate its Street View “snafu,” in which its photographer’s vehicles snarfed up information from thousands of private wifi networks, violating privacy and perhaps breaking the law.  The report from the company’s own investigators suggests criminal intent.

Prepaid cell phones are the last available communication device that offers privacy and anonymity.  But two U.S. Senators would like to put an end to it.  Schumer (NY) and Cornyn (TX) want to register the ID of phone purchasers and require the carriers to keep the data for 18 months after deactivation.

Google expands location tags – and other popular location services are riddled with bugs, according to this report.

Beverly High School students in Boston will be required to have a laptop next fall. But not just any laptop.  Parents will have to shell out $900 for a MacBook.  School administrators say PCs will be incompatible with the school’s network. What?

Our Tether contest – win wireless access for your BlackBerry

Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143.   You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.)  We award the prize to the first ten requests of the week.  Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.

BTW — there is a :60 second Tether commercial in these shows.  We are running them as a thank-you to Tether for the software keys.  We want to acknowledge the people who created some of the components in the spot.  The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production.  The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.”  All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers