Episode 204 of The CyberJungle is about 39 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 30:30 mark.
To listen to Episode 204 via the flash player:
Interview
Interview: Trevor Dietrich, VP and Co-Founder of Bayalink Solutions, on a virtulization app to secure iPads + more. He’s seeking beta testers. Trevor’s Twitter Feed.
Our Take on The Week’s News
A federal district court in New Jersey has decided that a social worker and special education instructor employed by the school board are liable for violating a high school student’sprivacy… after the teacher handed out a poorly-redacted copy of the studen’t psychological evaluation as a teaching tool. Read the story here, or read the court’s decision.
Industrial Espionage at Renault, or poor forensics, or both? Some details in this Economist story.
California’s top utility regulator has given gave Pacific Gas and Electric Co. two weeks to propose a way for customers to opt out of receiving the company’s controversial wireless SmartMeters.
The iPhone 4 falls at CanSecWest Pwn2Own Contest, and Blackberry.
Episode 203 of The CyberJungle is about 53 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 25:30 mark.
To listen to Episode 203 via the flash player:
Interviews
Charlie Miller, 3x Pwn2Own “hacking” contest winner stays home; response by Dragos, Founder of CanSecWest . Follow Charlie on Twitter.
Lawsuit accuses Amazon of capturing and sharing customer information without permission by tricking Microsoft Internet Explorer
Google Android in app malware flap, iPad2 security, and Blackberry Playbook running Android apps + better security? Interview on Playbook security Ira Victor mentioned in this segment. You may download the segment, or listen to the conversation here:
Proof once again that disgruntled employees are among the most dangerous cybercriminals… Texas man sentenced after breaching former employer’s network and deleting critical business files.
Wrap
OtterBox Cases for slider Smartphones: Samantha and Ira give a new OtterBox the field test
Episode 200 of The CyberJungle is 27 minutes long. You can hear it by clicking on the flash player below. You may download the file directly- great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interview is about 8 minutes long and it starts at about the 18:25 mark.
To listen to Episode 200 via the flash player:
Interviews
Simple Physical Security – Without the “security system tax/fee.” We talk with Andrew Saldana with SecurityMan
Tales From The Dark Web
HBGary’s exposed for trying to counter-attack Wikileaks, security institute issues rare request related to counter-counter-attack
This week’s regular episode of The Cyberjungle is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 181 via the flash player:
Interview
Jason Miller, patch management expert with Shavlik Technologies, tells us how to deal with the biggest patch release in modern IT history… which took place on Tuesday, October 12. Jason’s interview is 8 minutes long, and it begins about 24 minutes into Episode 181.
Your building pass could be more valuable than ever – Some federal employees will see their CACs (common access RFID cards) expanded. They’ll still get the card holder into a building or a computer system. But the cards will be expanded to include to include mass transit fares, debit payment, and ATM functionality… all in one card.
Fun finder or stalker tool? The website wheretheladies.at monitors social networking sites to help dudes locate gatherings of women. But blogger Jason Stamper conducted an experiment that points out the dangers women might face when they publish all the details of their daily lives.
This week’s regular episode of The Cyberjungle is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 169 via the flash player:
Interview
Sean Paul Correll from Panda Security discusses a survey of small and mid-sized businesses, and discusses what he’s learned about the attitudes and the habits they have when it comes to security.
Read the PandaSecurity report on small and medium sized business security. And Sean-Paul mentioned a free USB anti-malware tool, you may find it here.
Tales from the Dark Web
Fake my traffic - is it a scam, or is it just someone who wants to help you perpetrate a scam?
Our Take on This Week’s News
We hate Google, writ large – Consumer Watchdog has produced a hilarious video taking a jab at Google and Eric Schmidt. Worth watching… and a lot of folks are seeing it since it’s playing on the jumbo tron in Times Square. Schmidt as evil ice cream man offering kids free goodies while taking a body scan from his good humor truck. But we wonder about asking congress to create a “don’t track me” list. That’s like asking the three stooges to clean out the tool shed without hurting each other.
Some newer scanners offer a web-based remote document retrieval feature that serves as a hacking tool.
Tales from The Dark Web: Big web traffic means big bucks … but have we uncovered a big Dark Web scam?
Be careful of email messages that appear to come from Symantec products via email. It just might be a scam. See more at Martin Hall’s Blog, The Test Manager
Brian Krebs continues his excellent coverage of the banking Trojans and the people who carry out the attacks. This time the criminals told a money mule that cash stolen from a Catholic diocese was intended for victims of sexual abuse.
Microsoft DLL Flaw New Fixit tool from Microsoft, to be used in conjunction with other mitigation techniques.
Episode 165 is the this week’s full episode of The CyberJungle, posted immediately below. Episode 164 is the su root edition for advanced listeners – material that’s too technical for the radio. The advanced material consists of an interview with Dr. Richard Boyd, a senior researcher with Georgia Tech Research Institute, on using low-cost graphic cards to brute force passwords. Scroll down to the end of this batch of show notes to find it.
Episode 165:
This week’s regular episode of The Cyberjungle is 1 hour and 18 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 165 via the flash player:
Interview
Joshua Davis is a researcher with the Georgia Tech Research Institute. We discuss the new standards for strong passwords, and the new ease with which passwords can be broken. The 7-minute interview starts at about 22 minutes into episode 165.
Learn More: Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System
Get your tech out of my trash can – The City of Cleveland is expanding a pilot program which monitors trash cans of city residents via RFID chips embedded in the cans. Because of a trash-sorting requirement to use separate cans for recycling, city workers are able to monitor how often each household recycles, and decide whether too much time has passed since the recycling cart was last brought to the curb. If the household is sluggish in its recycling practices, the city will inspect the trash, and can fine the resident.
We’re reading more about automated safety alerts that are supposed to tip off workers to possible problems with industrial systems, and computer malfunctions that cause these features not to work or to be ignored. Or maybe we’re just noticing these stories more since the gulf oil spill. Now it seems malware may have been indirectly responsible for an airplane crash a couple of years back. The report is due out soon after a two-year investigation of a Spain Air jet that crashed because of wing flaps that didn’t get repaired.
We took our eye of the school laptop spyware case for a few months, and missed some developments in the lawsuit against the Lower Marion school District, which has has been swimming in a vat of hot water since it botched a scheme to track missing school-issued laptops, and ended up snapping photos of kids in their bedrooms instead. There was a second suit filed by another kid whose privacy was invaded. The expenses related to defending the district is pushing a million bucks, and the insurance company won’t pay. Hello, taxpayers. And the lawyer for the plaintiffs says he wants his money now. BTW, the district will roll out policy on Monday for laptop tracking. Gee, too bad they didn’t do that before they gave the kids laptops loaded up with spyware.
Beware the TapSnake game - It’s GPS Spyware on Android. Tapsnake and GPS SPY are companion programs developed by a Russian developer based in Texas, Mr. Max Lifshin (“Maxicom”). Someone posted a link to his resume, where we discover that he used to work for the Massachusetts Water Resources Authority.
The government-industry partnership – Government agencies aren’t providing business with timely tips about cyberthreats, according to a GAO report. (PDF)
Ira’s Classroom
Easy way to disguise your email address from spammers: http://scr.im
How to free yourself from the prying eyes of Google (Or, recognizing that you can’t be entirely free of Google, take some steps to minimize Google surveillance):
This is our unedited edition, featuring a longer and more technical conversation with Dr. Richard Boyd of the Georgia Tech Research Institute, about a new threat to common passwords. Learn More at Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System.
You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show. The audio file is 25 minutes long.
To listen to su root edition (episode 164) via the flash player:
Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below. Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio. The advanced material consists of three conversations from DefCon 18. Scroll down to the end of this batch of shownotes to find it.
Episode 161:
This week’s regular episode of The Cyberjungle is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 161 via the flash player:
Interview:
Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store. He’s found major flaws in these router/firewalls. This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161. Or you can just listen to the interview by going to our conference notes page. Also, here are some links to more information about Craig’s work:
Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident. We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning. There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified. Lamo now denies that he ever had possession of top secret documents. The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.
Our Take on This Week’s News:
The National Science Foundation has a porn problem according to Senator Chuck Grassley. Seems the science guys are passing around porn despite technical measures taken by the agency to block it. Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000. So do the math. This guy makes $290k per year??? WTF!!!
BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?
Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.
We stumbled over the Social Engineering contest at DefCon18. A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info. Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer. The audio file is located about half-way through the story.) Read about the Social Engineering organization here.
The annual session on physical lock security is always a hit. (This year there was more than one.) We attended the presentation by Marc Weber Tobias. His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200 fingerprint biometric, the electronic RFID military lock and even a personal safe. You can see the videos here, demonstrating how the locks were breached.
Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column. The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden. Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.
If we don’t laugh, we’ll probably cry. For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports. Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library? And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities. Duh. Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?
Episode 160 – su root edition:
This is our unedited edition, featuring three interviews straight from DefCon 18. The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.
You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to su root edition (episode 160) via the flash player:
Citibank announced today a major flaw in its iPhone/iPad banking app. The app leaves account information on the device. What is this bad? Well, iPhone/iPad/iOS does not support whole disc encryption.
At last month’s Gartner Security and Risk Conference in DC, I sat next to a Senior Executive with one of the larger anti-virus companies. According to this executive, the company wants to make and sell a whole disc crypto product, but Apple will not open its API (application program interface) to support whole disc encryption.
Citi iPhone App
Today’s announcement by Citibank about a flaw in their app, comes as little surprise. While this particular flaw can be fixed with an update, the fact remains: The foundation is sitting on shifting sands. The iOS is first and foremost a consumer media platform. It has a great bright interface, and plays music and videos really well. It has a great eBook reader. But, these devices were not and are not built with security and privacy at their foundation.
When you mistype a word, iOS saves, it, unencrypted. When you use a map, iOS saves it, unencrypted. When info is “erased.” the platform saves it, unencrypted. As a forensic analysis, the iOS is a boon to uncovering information that the owner of the device would be shocked to learn can be discovered.
Some will say, “all devices are like this.” Well, that is just not so. The Blackberry platform was built with security in mind, rather than an after thought. That’s why the UAE government views the Blackberry as a security threat. Not the iPhone.
I am realistic. Many people are gaga for every device Apple makes. To borrow a phrase: “If Apple took a brick and called it an iPhone you would still want it.” For these people, buying a smartdevice is all about being trendy and the purchase is almost all based upon emotions. I doubt that anything they read about poor security on the iOS will change their behavior.
For others, I suggest “Think Different.” Resist the temptation to use an unprotected consumer device for business. Use your iPhone/iPad as a media device, and use Blackberries (with the Blackberry Enterprise Server), for business use. It looks like the industry will release business-oriented slate devices to compete with iPad. That may turn out to be smarter for business use.
Until Apple addresses the underlying security issues in the platform, it’s a safe prediction that we will hear other stories about security flaws hurting iOS users.
You can listen to Episode 149 by clicking on the flash player below, or go to our listening options page for a list of other ways to receive the show. Episode 149 is one hour and 15 minutes long.
To listen to Episode 149 via the flash player:
Interviews:
Your employees will use social media whether you like it or not… and our expert says fully20 percent of current business communication is done via social media. So why not take control of the situation, and create ground rules and guidelines, so you’re in charge of how it’s used? Our interview with Gartner Research Director Andrew Walls is 8 minutes long and starts about 24 minutes into the show. This is an excerpt. We also posted the entire 25-minute interview on our conference notes page, if you’d like to hear it.
In our interview with Ed Rowley of M86 Security, we discuss a new iPhone scam……… The interview starts 61 minutes into the show.
Tales from the Dark Web
Polymorphic attacks are making the lastest drive-by infected web sites mostly invisible to signature-based anti-virus.
Meanwhile smart phone security is a hot topic, and Ira just returned from the Gartner Security and Risk Management Summit, where there was a comprehensive session on the subject.
Speaking of phones… congress is holding hearings on cellphone tracking of citizens by government.
Employers are in denial about the sensitive information that lives on the laptops and smart phones of their employees. Listen to our interview with Kevin Beaver of Principle Logic, who found an interesting gap between perception and reality while he was conducting security audits. The interview is just over 4 minutes long, taped at the Gartner conference. Look for it on our conference notes page.
Lawyers breach medical records during discovery. Anthem spokesperson says, not to worry, the data was only accessible for a short period of time. Thank goodness!
FBI released information about a new approach to banking attacks with a simultaneous denial of service attack on the account holdder’s phone lines. Very complicated.
Happy Birthday to George Orwell. His influence cannot be understated. He would have been 107 years old on June 25, 201o.
You can hear episode 145 of The CyberJungle by clicking on the Flash player below, or go to our listening options page for other ways to listen. Episode 145 is 69 minutes long.
To listen to Episode 145 via the flash player:
Interview Segments:
We talked with Jason Miller from Shavlik about why some businesses are still playing catch-up from the big Patch Tuesday… and about the Adobe Flash flaw that affects just about everyone on the planet. Check the patch management site for help. The interview starts about 21 minutes into Episode 145.
We also played an interview from earlier this year with David Shroyer from Bank of America. This is a short excerpt from a longer conversation about the reaction of the financial services industry to the Zeus banking attacks. The 7-minute segment we aired today is about the “money mules” who launder cash for cybercriminals. The mules are generally suckers who fall for the “work at home in your pajamas and make thousands of dollars with your computer” schemes. This interview starts about 56 minutes into Episode 145.
AT&T web application flaw combines with Apple business model flaw to allow a major hack of iPad user email addresses. The story was widely told this week. Here’s one version. There are a lot more angles to this story than the mainstream press has covered.
British Petroleum is in for an e-discovery gusher once the Gulf oil spill litigation begins. Court orders for documents will follow, and cost of discovery could top $100 million, according to this post.
FIFA 2010 World Cup is inspiring a wave of malicious spam tailored to soccer fans. Symantec has a good overview of “Crimes Against Football Fans” here.
Google has hired an independent firm to investigate its Street View “snafu,” in which its photographer’s vehicles snarfed up information from thousands of private wifi networks, violating privacy and perhaps breaking the law. The report from the company’s own investigators suggests criminal intent.
Prepaid cell phones are the last available communication device that offers privacy and anonymity. But two U.S. Senators would like to put an end to it. Schumer (NY) and Cornyn (TX) want to register the ID of phone purchasers and require the carriers to keep the data for 18 months after deactivation.
Google expands location tags – and other popular location services are riddled with bugs, according to this report.
Beverly High School students in Boston will be required to have a laptop next fall. But not just any laptop. Parents will have to shell out $900 for a MacBook. School administrators say PCs will be incompatible with the school’s network. What?
Our Tether contest – win wireless access for your BlackBerry
Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143. You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.) We award the prize to the first ten requests of the week. Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.
BTW — there is a :60 second Tether commercial in these shows. We are running them as a thank-you to Tether for the software keys. We want to acknowledge the people who created some of the components in the spot. The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production. The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.” All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.
