Archive for PCI

Feb 1, 2011 – Episode 198

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Legislation, Podcast, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on February 1, 2011 by datasecurityblog

Episode 198 of  The CyberJungle  is 32 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 198 via the flash player:

Interviews

Hey, is that an SMS botnet in your pocket? Straight from Shmoocon 2011, Georgia Weidman tells how the most popular smartphone platforms can be silently seized by the bad guys. Major computer forensic repercussions? The CyberJungle has the first radio interview with Georgia Weidman following Shmoocon. Proof-of-concepts and slides from Shmoocon 2011. The interview starts at about the 20:20 mark.

Tales From The Dark Web

Last may, the Dow plummeted in seconds. Fat-finger error, or something more sinister?

Our Take on The Week’s News

Wired magazine in the UK has jolted some of its subscribers by sending them an issue with the most personal details about their lives on the cover.  Imagine pulling the mag out of your mailbox and there’s your name, along with comments about your latest ebay purchase, your divorce, your kids, and your new boss.

Data retention law does not help law enforcement fight crime, study reveals.

The backlash against smart meters is growing. Joining the privacy advocates and the anti-corporatists are those suffering from “electromagnetic sensitivity.”

The cost of non-compliance with security mandates can be more expensive than the cost of investing in security, says Ponemon Institute.

Slammed: An attempt to regulate computer forensics pros in the State of Virginia

Ira heads to RSA San Francisco 2011. Ira will post reports in Conference Notes. Reports sponsored by LogLogic – The IT Data Management company. Meet Ira in the LogLogic booth #828 during Tuesday night’s RSA pub crawl and drink some Travis Smith’s 510 nano-brew, served fresh in the booth. Ira mentioned the Cryto Adapter by hiddn in this segment.

October 3, 2010- Episode 177

Posted in Breach, Court Cases, criminal forensics, darkweb, Legislation, Podcast, The CyberJungle, Vulnerabilities, web server security with tags , , , on October 3, 2010 by datasecurityblog

Episode 177:

This week’s regular episode of  The Cyberjungle  is 1 hour and 16 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 177 via the flash player:

Interview

Dr. Eric Cole is an instructor at the SANS Institute and a CTO with McAfee.  He discusses data security based upon actions, rather than just signatures of attacks.  Dr. Cole’s interview begins about 25 minutes into Episode 177.

Tales from the Dark Web

Restaurant Security Fails – $200,000 in fraudulent credit card charges made after a restaurant purchased a new PCI compliant point of sale system, but failed to take the other steps needed to secure the information. Many businesses are failing to secure their point of sale systems and other parts of their business. They run out of date software, insecure systems. Most small businesses still don’t think they are a target for cyber criminals.

Our Take on This Week’s News

Obama Administration seeks wiretap access through backdoors to all online communication channels. The effort would include a requirement for access to encrypted communications. The EFF points out this battle has already been won once.

Rat on your neighbor, part II – Meanwhile, Department of Homeland Security launches a suspicious activity report database.

Poor Tyler Clementi, the Rutgers student whose gay tryst was available to his roommate’s chat partners via webcam, has not yet been laid to rest, and a state lawmaker is seizing upon his suicide to get attention for herself. Thumbs way down to these vultures who climb upon the bones of dead teenagers to get publicity or to shill for legislation that would otherwise go nowhere. This is all too common.

Another episode of Databreach Theater – Courthouse News reports on a databreach case originating in a Kansas prison.  The Six Circuit Court apparently concluded that an act can be simultaneously “inadvertent” and “willful.”

Zeus arrests - Bank Account Takeover Attack gang members arrested in three countries. The Zues attacks nonetheless continue, with one of many variants now targeting mobile banking users.

Judge acquits speeding motorcyclist who used a helmet cam to record traffic antics and a traffic stop by an armed plain-clothes cop.

Stuxnet Update- The Saga Continues: Could this attack ‘inspire’ similar attacks? Was the attack targeting India rather than Iran? China has also had a taste of Stuxnet.

Bug Bounty -Should major cloud services/sites set up a bounty system for web app bugs?

CyberJungle FAQ:

Skip the Adobe PDF mess and download Foxitsoftware’s PDF reader

For easy, much more secure tool one can use for online banking, use Webconverger

May 8, 2010 – Episode 135

Posted in Breach, criminal forensics, ediscovery, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , on May 9, 2010 by datasecurityblog

Interview segment

If your company accepts credit cards, listen to our featured interview with Richard Moulds from security firm Thales.  He and Ira discuss the upcoming revision of Payment Card Industry standards. (Standards are set  by the PCI Security Standards Council).  Thales sponsored a survey of PCI auditors, to discover where they believe the weak spots are, and where improvements should be made. The interview is 11 minutes long, and it starts 56 minutes into Episode 135.

You may listen to to Episode 135 on via the flash player:

You may download the MP3 file here; or go to the listening options page for other ways to hear the program.

Our Take on This Week’s News

FedGov wants to snoop into your financial transactions: As most major news organizations have reported, there are potential privacy hazards for consumers and merchants lurking in the federal financial reform bill.  Republicans objected last week to the creation of two agencies that would be empowered to scrutinize purchases made on credit. We’re thankful the subject was raised, but we note that the Republicans very likely were using consumer privacy as a bargaining chip to get other changes in the bill that they consider truly important.  Let’s not be lulled into believing that citizen privacy is not a priority for any legislator when there are other issues on the table. Sure enough, this article, published a day and a half later, bears out our assertion.  It’s a three-page report indicating that Republican objections had been trounced.  In three pages of reporting, not a mention of the privacy concerns, so it’s clear that other matters dominated the discussion, and any concerns over privacy must have evaporated in the backroom discussions.

BTW -  those two snooping “consumer protection” agencies would be located within the Federal Reserve and the U.S. Department of Treasury.  Well, it seems that Treasury is having some data security problems right now.  PandaLabs has located easy-as-pie hacker kits with targets that include the U.S. Treasury.

Computer glitches hamper census:  Remember how much money and effort was spent persuading you to return your census form?  Now the GAO reports fairly significant problems with the computer system that was specially designed for processing the paper responses.  For the moment, they’re reporting major cost overruns — AND — that a lot of the paper responses might not be counted anyway.  Why is this in our data security beat?  Because information security has three pillars:  Confidentiality, Integrity, and Availability.  We can rule out data integrity here, because the census data most likely won’t be accurate. Rule out confidentiality, because, as congress has now been informed, stacks of paper responses are piled up in offices waiting to be entered into the system.  And we should probably rule out availability too, unless the many agencies making use of census data want to trudge over to the commerce department and analyze it by hand.

You may have seen this by now:  Hats off to CBS news for their coverage of the copy machine hard drives left unscrubbed when the machines are discarded by business.  Chilling.  Few mainstream news organizations are doing good coverage of these issues, and we hope this CBS reporter wins an award for his excellent work.

The FBI is having some challenges with forensic investigations on smart phones and game consoles. Read why they need to get info from these devices.

WiFi cracking kits make it easier than ever for wireless networks to be hacked.

This Tuesday is Patch TuesdayMicrosoft is offering a webinar to answer customer questions about patching.  Kudos for this public outreach.  But why was Microsoft silent last month, when it issued these patches?

Did fedgov use drones to track the Times Square bomber?  This story has not been reported anywhere else, but the source seems credible.  Leaving us to wonder about the Obama administration’s public preference for giving suspected terrorists constitutional rights.  A terrorist is either a criminal suspect or a combatant.  Not both.  If there is a behind-the-scenes use of military signal intelligence to track criminals, then they are not criminals, they are combatants. Or are they? Let’s decide and stick with one course.

Caller Kevin wanted to know how to diagnose mysterious CPU spikes on his system. Is there a security issue here? Ira promised to look up a free utility that can help. Long ago, when The CyberJungle was still the Data Security Podcast, we reported on MimarSinan’s Rubber Ducky System Monitor. Jim Murray, the creator of this utility, talked with us about how he came up with the software after his wife’s computer system came under attack.

Lovers of Apple can become lovers:  A new dating site for fans of Apple products.  God bless entrepreneurs everywhere.

Episodes 113A, 113B, and 112 su root editon: February 21, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, Legislation, Podcast, Show Notes, The CyberJungle, web server security with tags , , , , , , on February 21, 2010 by datasecurityblog

Three episodes, one low price. (Free). We posted the show in three parts this week. Episode 113 A is a 35-minute interview on cell phone tracking, posted separately, so that anyone who wants the cybercrime news can skip straight to Episode 113 B.

The other post is the su root edition for the technically proficient. This week it’s an interview with Ben Jun from Cryptography Research, on developing applications that adapt to sweeping changes in technology. A preview of his RSA presentation. It’s 20 minutes long.

Episode 113 A – cell phone tracking interview

This is an interview segment on the legal and technical issues under review by the federal Third Circuit Court of Appeals regarding tracking of cell phone users. Our guests are Rebecca Gasca of the Nevada ACLU and Dr. Nirmala Shinoy of the Rochester Institute of Technology. This segment is 35 minutes long.

The most informative of the documents is the 2008 court order now being appealed, in which a Western Pennsylvania magistrate denied the government’s request for tracking data without a warrant. It’s 56 pages long, but offers a very comprehensive statutory history of the laws that apply to phone tapping and tracking. Newsweek recaps the issue and covers the appeal. http://www.newsweek.com/id/233916

Episode 113B Cybercrime and Security News

A spike in power grid attacks is predicted in the next 12 months. The Project Grey Goose report claims the number and severity of attacks on the existing grid has been underreported.

Coincidentally, Zues and its variants are more severe and widespread than previously reported. The attack is not just stealing money from commercial bank accounts. It’s settled into more than two thousand entities and 74 thousand computers, stealing intellectual property, credit card numbers email and network credentials, and a wide variety of other information. The good news is, it’s finally hitting the mainstream press. Reported this week in the following publications.

CNET: Zeus on 74k PCs in global botnet. “…Compromises of enterprise networks have reached epidemic levels”

NY Times: Malicious Software Infects Corporate Computers. Attack goes well beyond just bank account info stealing.

Wall St Journal: Broad New Hacking Attack Detected

WaPo: Nearly 2500 companies victim of massive cyberattack

The economics of malware- a new report urges us to look at cybercrime differently. It’s not lone gunmen and geeky teens, it’s an entire economy, with mom and pop shops, street vendors, manufacturers and marketers.

A TV news story that suggests banks are using your social networking pages to glean information about your creditworthiness. A company that mines the sites for data and sells it to the banks says nope… the institutions only use it for marketing, not for lending decisions.

A Houston television station launched an investigation of retail credit card practices at the cash register in Sears and K-Mart. Employees at the store accepted credit cards without checking ID or signatures. The reporters made numerous purchases using cards that didn’t belong to them. The stores will “immediately” begin retraining their employees at more than 2,000 combined stores nationwide in techniques for preventing credit card fraud.

Data Security Podcast Episode 78, Nov 09 2009

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Podcast, Report Security Flaws, Vulnerabilities, web server security with tags , , , , , , , , , , , , on November 8, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Why are web drive-by downloads proliferating like cockroaches?

* Sixty Minutes just covered a data security story. We rate the coverage.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 78 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 78 of the Data Security Podcast

* Conversation:  Ira talks with Georg Hess, CEO and Co-Founder, Art of Defence, about network scans versus web application scans. OWASP AppSec DC 2009 takes place this week,  November 10-13th, in Washington, DC. The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Their mission is to make application security visible,  so that people and organizations can make informed decisions about true application security risks.

OWASP Conf 2009 Wash DC

* Tales From The Dark Web:  Our take on the 60 Minutes segment Sabotaging The System:  Could hackers get into the computer systems that run crucial elements of the world’s infrastructure, such as the power grids, water works or even a nation’s military arsenal? Be sure to watch this video segment with the highest level non-technical boss in your organization. Also, make sure you, and your non-technical boss watch the “Web Extras” from this segment.  One of the stunning parts of the segment was the claim that private companies are more vulnerable because the companies only care about profit. Unlike government networks, which are more secure (uh?).  If that was the case, how can that be squared against the portion of the segment that revealed that the Feds lost 12TB of data from the DOD, DOE, DOC and possible NASA, in 2007? Where was the profit motive that stopped good security in those organizations? Security expert Robert Graham explores this, and other issues, in this posting: Brazil outage NOT caused by hackers.

* From Our Take on The News:  New open-source voting technology – the developer is looking for jurisdictions to try it for free.  Read the Wired account.

* From Our Take on The News:  A technical overview of the newly discovered SSL vulnerabilities and possible mitigation. Ben Laurie has excellent, technical blog postings about the SSL protocol flaw.

* From Our Take on The News:  Voters hate traffic surveillance cameras — proven in three U. S. cities in last week’s elections. (As if we still need proof.) Great coverage of traffic surveillance and related matters in Maryland. (But the topic is universal).

* From The Wrap:  First iPhone worm found, details at F-Secure.  A how-to for changing the SSH default password in your jailbroken iPhone; one uses a computer connected to your iPhone to change the SSH settings.  Note: If you are not using a jailbroken iPhone, you don’t need to make changes to be protected from this particular attack.

Data Security Podcast Episode 74, Oct 18 2009

Posted in Breach, Business Continuity, Court Cases, darkweb, Vulnerabilities with tags , , , , , , , on October 19, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Now the bad guys are holding computer files for ransom if you don’t buy their phony anti-virus software. We have a workaround.

* Midyear elections are coming up, and the last thing the campaigns seem to think about is data security.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 74 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 74 of the Data Security Podcast

* Conversation:  Ira talks with Gretchen Hellman, VP of Marketing for Vormetric about information security, the security issues with the new GOP web site, and election campaign security.

* Tales From The Dark Web:  Watch the video by PandaSecurity that demonstrates a damaging new fake anti-virus that denies access to files and applications on victim systems unless a ransom is paid. The link below takes you to a video of the attack, and we have posted the keys to defeat the current variant of lock out.  If you work in IT/InfoSec please write an email to users with a warning, include the keys to unlock the software, and have the end user re-image their hard drive.

Rogueware with new Ransomware Technology

Rogueware with new Ransomware Technology

Click here to view the Rogueware with new Ransomware Technology™ video. The video comes to us from Panda Security.  Take note that the malware icon disappears from the computer, and when it does, the attack is in place.  If you have a system that is infected with this attack, Panda has cracked the malware and has provided a list of working keys, which give access to the current variants of the TotalSecurity2009 attack:

WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD

* From Our Take on The News:  Danger Will Robinson! Danger! Additional insiders have stepped forward to shed more light into Microsoft’s troubled acquisition of Danger, its beleaguered Pink Project, and what has become one of the most high profile Information Technology disasters in recent memory. 

TJMaxx Agrees “Leadership Role” In Data Security

Posted in Annoucements, Breach, criminal forensics, darkweb, ediscovery, Legislation, Vulnerabilities, web server security with tags , , , , , on June 24, 2009 by datasecurityblog

Large US retailer TJMaxx today announced that it has settled with a multi-state group of 41 Attorneys General, resolving the States’ investigations relating to the criminal intrusions into TJMaxx’s computer system announced by TJMaxx over two years ago.

Jeffrey Naylor, Chief Financial and Administrative Officer of The TJX Companies (the owner of TJMaxx) stated, “This settlement furthers our goal of enhancing consumer protection, which has been central to TJX. Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime.”

Mr. Naylor continued, “The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data. This settlement furthers TJX’s efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world.”

What has not been announced are the specifics of what TJMaxx, or the states, will do to take a leadership role in exploring new technologies and approaches to improving data security.

Here are some suggestions:

1. Making protecting information a key, important function for all organizations, of all sizes. Too often, data security is looked at as  “an IT task.”   In many organizations today, data security is just a subset of the IT department. Then it falls on the CTO/CIO/MIS manager  to strike the balance between ease of access and security.  The Chief Information Security Officer should report to the CFO or CEO, and bring them actionable information risks and the options to mitigate those risks. It is the role of the non-technical manager to strike the balance between ease of use and security, not the head of IT.

2. Educating business that the PCI standard is a MINIMUM standard, not a bar or goal to be reached “one day.”

3. Educating businesses on ISO-27k, OWASP, NIST, and other standards that can help protect information.

4. The culture in security and business is to not to do PR about specific security measures. Make an exception. TJMaxx should use their bully pulpit, deploy, and get the word out about the  importance of advanced web application scanning, data encryption, web drive-by downloads,  two-factor authentication, wireless security, and open-source.

5. Responsible Disclosure.  Today, it is almost impossible to alert a business when they have a security flaw.  Retailers and other businesses must develop an easy method for “good guy” security people to inform them when a security issue is discovered.

Almost every state has data security laws. The monies that go to the states should be used to better educate managers and decision makers about protecting personally identifiable information, and the list above.

According to press reports, 40 states are participating in this settlement agreement. Those state are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, and Wisconsin. The District of Columbia is also a party to the settlement.

If TJMaxx is serious about playing a leadership role in data security, we hope to hear from them about what they will do. The Data Security Podcast has reached out the to TJMaxx. We have requested an interview for the audio program. We will let you know their response.

Data Security Podcast Episode 58 – June 22 2009

Posted in Breach, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , on June 22, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • The vast majority of malware infected web sites are legitimate sites that have been secretly hijacked. How would you know if your site was on that list?
  • Your GPS can now tell you where red light cameras, photo radar and DUI checkpoints are. Some local governments aren’t happy about this…we’ll talk to the CEO of the firm providing the data.
  • Plus,  Apple’s PR department calls us back, find out where information security was in their priority list.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)

This week’s show is 26.5 minutes long

–> Stream, subscribe or download Episode 58 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 58 of the Data Security Podcast

  • Ira has a conversation with Joe Scott the CEO and Founder of PhantomAlert.com.  This services allows you to use your GPS, and the power of social networks to get early warnings of the locations of photo radar,  red light cameras, DUI checkpoints, and more.
  • From The News: Apple calls us back. They don’t want to talk about security, tune in to find out what they wanted to talk about.
  • From The News:  Due to some traveling, we will not have our take on this week’s news. Our analysis segment will return next week.
  • Wrap: New regulations proposed on GPS use in a moving vehicle.
<!–[if gte mso 9]> Normal 0 false false false MicrosoftInternetExplorer4 <![endif]–><!–[if gte mso 9]> <![endif]–> <!–[endif]–>

 

Data Security Podcast Episode 52 – May 11 2009

Posted in Breach, darkweb, Podcast, Vulnerabilities, web server security with tags , , , , on May 11, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Cross Site Forgery Attacks; A different approach to stopping malicious code. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> Stream, subscribe, or download via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 52 of The Data Security Podcast

-> Ira has a conversation with Tom Murphy, Senior Strategist with Bit9 about whitelisting approved applications, rather than a signature based approach to blocking.  Bit9 offers white papers on the topic.

-> Tales From The Dark Web: Cross Site Forgery Attacks and other attacks targeting sites using Web2.0 applications are highlighted in this report.

–> Be sure to read a new feature on our web site: Lame Excuses, the dumb statements by people who should have been responsible for securing information.  We welcome your contributions.

-From The News: Report: Web application security and IDS in air traffic control systems.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers