Archive for Smart Cards

Data Security Podcast Episode 86, Dec 21 2009

Posted in Breach, Podcast, Vulnerabilities with tags , , , , , , , , on December 20, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Twitter’s DNS hijacked

* Fingerprinting credit card mag strips

* Our take on this week’s news

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 86 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 86 of the Data Security Podcast

* Ira talks with Dr. Robert Morley  about the unique digital fingerprints on every credit card and ATM magnetic strip, and how that fingerprint can fight card cloning fraud. Read about Dr. Morley.  Dr. Morley’s work has been commercialized into products like MagnePrint,  mentioned in the segment.

* Tales From The Dark Web:  Ira gave his take on the reporting by Brian Krebs in the Security Fix blog at the Washington Post site.

* From Our Take on The News: Ira gave his take on the very interesting blog posting by Robert Graham entitled SkyGrabber vs. Predator .

* From Our Take on The News:  Why did a department of health worker in Detroit have electronic copies of thousands of birth certificates in her car? That’s where the records were (on a flash drive) when they were stolen. We give our take on this story in the Detroit Free Press.

* From Out Take on The News:  A program that allows Seattle Area employers to subsidize commuting — it saves employees a lot of money.Only problem is, your travel records are available to your boss. All he has to do is ask.

The Identity Theft Prevention Stamp

The Identity Theft Prevention Stamp

* The Wrap:  A rubber stamp that renders printed personal information illegible (pictured) .  Read more.

StrongWebMail Bounty Attack – Caveat Emptor

Posted in Breach, eMail Security, Exclusive, web server security with tags , , , , , on June 7, 2009 by datasecurityblog

StrongWebMail has received publicity for the $10,000 bounty that the company’s chief executive offered if someone could break into his web mail account.The executive, Darren Berkovitz, posted his StrongWebMail username and password on the company web site.

IDG is reporting that three information security professionals are now claiming that they were able to pwn (“own”) Mr. Berkovitz’s StrongWebMail account. Although their exact method has not been revealed, IDG is reporting that the StrongWebMail site was vulnerable to cross site scripting attacks.

The Data Security Podcast had a conversation with Darren Berkovitz on Friday June 5th.

He was not yet ready to talk about the StrongWebMail bounty attack. But, he agreed to do so in the coming week. That conversation will be posted on June 15th, in Episode 57 of the Data Security Podcast.

He did talk with us on Friday about his service in general, and about the challenges of market adoption of multi-factor authentication.

StrongWebMail’s parent company, Telesign is a provider a phone focused multi-factor authenticaion services. The service allows owners of web sites to validate users with a phone call to end users. That call can contains a validation code, for use on the web site, in addition to a username/password pair. StrongWebMail is, in some ways, a proof of concept that is designed by Telesign to demonstrate the acceptance of multi-factor authentication for the world’s most popular web application: web mail.

According to Mr. Berkovitz, StrongWebMail uses an off-the-shelf web mail application once users get pased validation.

And, that may be the chink in the armour that security researchers used. Rather than attacking the multi-factor element, IDG reports that the researchers created their own StrongWebMail accounts. They then used those accounts to launch attacks that allowed them “hop over” from one user account to another, including, allegedly, hopping over to Mr. Burkovitz’s account.

If they waited for Mr. Berkovitz to log in, and then hopped over to his account, that could be a method to gain access to his account. If this indeed  isthe nature of the bounty attack, then it would re-emphasis the important of securing the code of web appliations.  The best multi-factor systems cannot compensate for weaknesses in a web application.

So, if we are on the right track, then this is not a story about the weaknesses of a two factor authenticaion system. This may simply be another example of the importance of security in web-based, or so-called cloud computing, applications. That even includes web sites that assure customers that “our site is secure,” or even when the site has names, icons, or other technolgies associated with information security in general.

Data Security Podcast Episode 53 – May 18 2009

Posted in Breach, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities, web server security with tags , , , , , , , on May 17, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – One web malware variant overtakes all others; Smart cards INSIDE MiniSD for two factor auth via cell phone. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> Stream, subscribe, or download via our page at Podcast.com.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

Combining smart cards and memory on a MiniSD for two factor ID

Combining smart cards and memory on a MiniSD for two factor ID

–> Ira has a conversation with William Holmes, of Go Trust. They have developed technology to merge smart cards with MiniSD memory. This technology can be used to make rather smart two-factor authentication. Go Trust is looking for people that want to develop applications that leverage this new security technology.

–> Tales From The Dark Web: According to Graham Cluely’s Blog at Sophos, Malicious JSRedir-R script found to be biggest malware threat on the web, at least for the next 15 minutes..

–> Be sure to read a new feature on our web site: Lame Excuses, the dumb statements by people who should have been responsible for securing information.  A new entry was added this week, and we welcome your contributions.

–> From The News: The Federal Computer Week story,  Homeland Security Information Network suffers intrusions.

–> From The News: U.S. attorney’s office tells employees not to log on to Drudge Report, as reported by Jonathan Martin at POLITICO.com .

Data Security Podcast Episode 16 – Sept 02 2008

Posted in Podcast with tags , , , , , on September 2, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Cloud Computing is hot – but is it secure?  Plus, the latest security news.

–> Stream, subscribe or download Episode 16 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 16

News:

1.  Survey: IT staff would steal secrets if laid off

2. Improvements to smart card security...The company that sold millions of chips to the federal government for RFID passports has licensed technology that will make the products less vulnerable.

3.  Best Western CIO Scott Gibson On The Data Breach

4.  Scientists who research genetic predisposition to disease are now ready to use their technology to help law enforcement with identifying crime suspects.  Privacy implications? Oh yes.

5. Virus Infects Space Station Laptops (Again)

Interview

Pete Wood, Member of the ISACA Conference Committee and founder of First Base Technologies speaks with Ira about Cloud Computing Security.  Pete’s tips on creating strong passwords, as mentioned in this segment.

Follow

Get every new post delivered to your Inbox.

Join 1,151 other followers