Archive for Surveillance cameras

iOS TrackerGate: Not New, But Still Disturbing

Posted in Court Cases, criminal forensics, ediscovery, eMail Security with tags , , , , , , on April 21, 2011 by datasecurityblog

The technical and non-technical press is buzzing over the “discovery” by a forensic researchers Alasdair Allan and Pete Warden. The revelations are not new, but the implications are still very disturbing.

Yesterday, Allan and Warden released a an application that uses an interesting plain-text file on 3G iPhones and iPads.  This file contains the geo location of where the device (and presumably it’s owner) has been.  The application blots the geo data onto a map, allowed one to see the travels and location of the device, and it’s owner.

The non-technical press has taken this story as a revelation.  Both the Wall Street Journal radio report out of the Bay Area (on KSFOAM) and The BBC World Service have been running this story all morning. Alex Levinson is a forensic researcher that has correctly pointed out that work by Allan and Warden did not credit the earlier research done by Alex, and others, in this area. Indeed, in a The CyberJungle posting from the Paraben Forensic Innovator’s Conference (PFIC) in Park City, UT last November, we reported the mountains of data that can be recovered from iOS devices.

The privacy implications of this data becoming available to in a civil lawsuit, or in a criminal matter, are quiet significant. Everything from visits to a mental health provider, a controversial art exhibit, a winery,  or a discreet meeting with an ex lover could become open to unwanted scrutiny.  It’s difficult to predict how the information regarding someone’s whereabouts could be used to harm an individual in a civil or criminal matter. We already have privacy challenges with the proliferation of closed circuit television (CCTV), and the ability to correlate the data with iOS geo data becomes an enormously powerful investigative tool.

Interestingly, yesterday also saw reports that Michigan law enforcement  maybe taking complete “in the field” forensic images of mobile devices from some drivers during routine traffic stops.  This revelation should cause any citizen to take a pause, as it has the Michigan ACLU.

What are some of the techniques the average citizen can use to add layers of privacy, and still use a mobile phone, or tablet?  We plan more coverage of this story in the next episode of CyberJungle Radio (episode 210), including options to help mitigate these privacy leaks.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

January 25, 2011 – Episode 197

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Podcast, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on January 25, 2011 by datasecurityblog

Episode 197 of  The CyberJungle  is 25 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 197 via the flash player:

Interviews

Ira talks with HP Security Evangelist, Rafel Los. Topic: Business Application Security, and a different way to weigh risk.

Tales From The Dark Web

Just because they are behind bars doesn’t mean your safe from members of the Dark Web.

Our Take on This Week’s News

Record a cop, go to jail – Two Chicago residents who recorded their interactions with the police are facing felony charges… one is in jail… and their cases are drawing attention to an eavesdropping law that may be obsolete in the age of smart phones with audio and video recording capabilities.

Before we had Facebook, we had yearbooks – At the end of each year of high school, we’d write messages by hand, with a pen, never expecting anyone except the book’s owner (and a select few friends) would see them. Now classmates dot com is buying up old yearbooks, and scanning and posting the contents, including our most private heartfelt messages. Read this account of describing one man’s yearbooks, bought at an auction of the contents of his mother’s basement, and the various personal messages from girls during his high school years… including a lengthy breakup letter from a serious relationship during his senior year.

In a potential windfall to attorneys that sue businesses that send out spam –  California Appeals court has ruled that businesses can be held strictly liable for actions done by their affiliates (and sub-affiliates).

Trapster Hacked – If you own a smarphone, you might be using the free app Trapster. Trapster alerts you when you are driving near speed traps and traffic cams, and other law enforcement hazards. Attackers may have stolen email addresses, passwords, and other data.

January 28, 2011 is Data Privacy Day. Privacy Projects, is the official sponsor of  Data Privacy Day.  The goal is to put additional pressure on companies and to gain a better understanding that everyone’s privacy is at stake.


 

Record a cop, go to jail - Two Chicago residents who recorded their interactions with the police are facing felony charges… one is in jail… and their cases are drawing attention to an eavesdropping law that may be obsolete in the age of smart phones with audio and video recording capabilites.

January 18, 2011 – Episode 196

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Podcast, Show Notes with tags , , , , , , on January 17, 2011 by datasecurityblog

Episode 196 of  The CyberJungle  is 30 minutes long. You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 196 via the flash player:

Interviews

Earlier this month, while we were strolling on the floor at CES in Las Vegas, we had a chance to chat with Tony Kainuma, the Director of Navigation and Detection products at  Cobra Electronic Corporation.  We discussed Cobra’s new smartphone app that watches for red light cameras, traffic congestion and cops with radar, and relays the information to all Cobra users who subscribe.

Tales From The Dark Web

Creepy stalker uses info from  Facebook to break into email accounts and steal stuff from women.

Our Take on This Week’s News

Silliest use of the Computer Fraud and Abuse Act? We (respectfully) disagree with law professor Orin Kerr, who says Sony’s lawyers should win this prize for this argument:  You’re guilty of felony computer hacking crimes if you access your own computer in a way that violates a contractual restriction found in the fine print of the licensing restriction of the product imposed by the manufacturer. We think the honor for dopiest use of the CFAA still belongs to the prosecutors of MySpace Mom Lori Drew.

Stuxnet news: The New York Times reports the Stuxnet worm was a joint project of the U.S. and Israel, engineered to destroy the uranium centrifuges that Iran uses in it’s nuclear weapons program. As a result of this worm, the Iranian nuke program has suffered serious set-backs. All without a shot being fired.

Federal judge supports Federal Government –  Says plaintiff  EPIC did not convince him that DHS should turn over 2,000 naked images from the airport body scanners.

A proposal in congress for a law that would clarify the rights of Americans returning home from abroad, only to have their  digital devices are seized by customs agents.  Our take – for the time being, consider the  U.S border a hostile zone for  business and personal data in your laptop or smart phone.


August 22, 2010 – Episodes 164 and 165

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, The CyberJungle with tags , , , , , , , on August 22, 2010 by datasecurityblog

Episode 165 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 164 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of an interview with Dr. Richard Boyd, a senior researcher with Georgia Tech Research Institute, on using low-cost graphic cards to brute force passwords.  Scroll down to the end of this batch of show notes to find it.

Episode 165:

This week’s regular episode of  The Cyberjungle  is 1 hour and 18 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 165 via the flash player:

Interview

Joshua Davis is a researcher with the Georgia Tech Research Institute. We discuss the new standards for strong passwords, and the new ease with which passwords can be broken.  The 7-minute interview starts at about 22 minutes into episode 165.

Learn More: Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System

Tales from the Dark Web

If you get a message that looks like it’s from LinkedIn, be extra careful.  There’s a fake one circulating and it may link you to rogueware.

Our Take on This Week’s News

Get your tech out of my trash can – The City of Cleveland is expanding a pilot program which monitors trash cans of city residents via RFID chips embedded in the cans.  Because of a trash-sorting requirement to use separate cans for recycling, city workers are able to monitor how often each household recycles, and decide whether too much time has passed since the recycling cart was last brought to the curb.  If the household is sluggish in its recycling practices, the city will inspect the trash, and can fine the resident.

We’re reading more about automated safety alerts that are supposed to tip off workers to possible problems with industrial systems, and computer malfunctions that cause these features not to work or to be ignored.  Or maybe we’re just noticing these stories more since the gulf oil spill. Now it seems malware may have been  indirectly responsible for an airplane crash a couple of years back.  The report is due out soon after a two-year investigation of a Spain Air jet that crashed because of wing flaps that didn’t get repaired.

We took our eye of the school laptop spyware case for a few months, and missed some developments in the lawsuit against the Lower Marion school District, which has has been swimming in a vat of hot water since it botched a scheme to track missing school-issued laptops, and ended up snapping photos of kids in their bedrooms instead.  There was a second suit filed by another kid whose privacy was invaded.  The expenses related to defending the district is pushing a million bucks, and the insurance company won’t pay. Hello, taxpayers.  And the lawyer for the plaintiffs says he wants his money now.  BTW, the district will roll out policy on Monday for laptop tracking.  Gee, too bad they didn’t do that before they gave the kids laptops loaded up with spyware.

Beware the TapSnake game –  It’s GPS Spyware on Android. Tapsnake and GPS SPY are companion programs developed by a Russian developer based in Texas, Mr. Max Lifshin (“Maxicom”).   Someone posted a link to his resume,  where we discover that he used to work for the Massachusetts Water Resources Authority.

The government-industry partnership – Government agencies aren’t providing business with timely tips about cyberthreats, according to a GAO report. (PDF)

Ira’s Classroom

Easy way to disguise your email address from spammers: http://scr.im

How to free yourself from the prying eyes of Google (Or, recognizing that you can’t be entirely free of Google, take some steps to minimize Google surveillance):

Two Resources: http://safeandsavvy.f-secure.com/2010/08/16/get-google-out-of-your-life/ and http://howto.wired.com/wiki/Un-Google_Yourself

Search engine alternative, excellent as your home page: http://www.StartPage.com

Episode 164 – su root edition:

This is our unedited edition, featuring a longer and more technical conversation with Dr. Richard Boyd of the Georgia Tech Research Institute, about a new threat to common passwords.   Learn More at Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.  The audio file is 25 minutes long.

To listen to su root edition (episode 164)  via the flash player:

August 15, 2010 – Episodes 162 and 163

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , on August 15, 2010 by datasecurityblog

Episode 163 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 162 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of an interview with Wayne Huang,  who did early research that led to the discovery of the drive-by download.  Scroll down to the end of this batch of show notes to find it.

Episode 163:

This week’s regular episode of  The Cyberjungle  is 1 hour and 19 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 163 via the flash player:

Interview

Wayne Huang is an executive at Armorize, working in Taiwan. His early research led to the discovery of what we now call drive-by downloads.  This episode of the Cyberjungle has a 7-minute interview with Wayne, which is a bit more elementary than the 35-minute su root version at the bottom of this set of show notes.  The 7-minute interview starts at about 24 minutes into episode 163.

Free Open Source Project to fight drive-by downloads is at Drivesploit.

Tales from the Dark Web

When your patch reminders pop up on your screen automatically, that’s a convenience.  When they arrive by email, that’s a scam.

Our Take on This Week’s News

Is Google buying microdrones like the ones in this vide0? And if so, what will Goolge do with them? Seems unclear at this point, but the implications kind of freak us out.

This is about as low as it gets: Cybercriminals pose as American military men — even fallen soldiers — creating fake dating profiles to ensnare women romantically and then ask them for money.

Everyone wants an iPad… we wonder if elected officials are willing to contort financial reality and ignore open meeting law requirements in order to play with an iPad on the taxpayers dime.  This USA today report says city councils are buying iPads to save the cost of paper.  But they might be buying a whole lot of trouble that will make the paper budget seem trivial.

City of San Francisco’s former network administrator Terry Childs was sentenced to 4 years for locking the city out of its network.  He’s been cooling his heels in jail for two years during the trial, and now it looks like he’ll serve about another 6 months with credit for time served. The San Francisco Weekly had the best summary of the case, and seems to be the only media outlet that truly grasps the moral of the Terry Childs story.

Attention merchants and other businesses relying on credit card purchases. PCI 2.0 is coming in October, and will probably become effective in January.  Yes, it will require more of you. Here is the current standard. The new standard will require web application logging, and better accountability and tracking of credit card number within the business network.

Apple iPhone Patches have been distributed for devices affected by the jailbreakme flaw.  Problem is, the patches work selectively. They do not apply to all devices.  Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later. Here’s Apple’s report on the flaw.  Jay Freeman (Saurik) has made an unofficial patch for one (CVE-2010-1797) of the two vulnerabilities patched by Apple. It’s available for Jailbroken devices via Cydia,  and will work also on the older devices that have not yet received any updates from Apple, plus new devices if you don’t want to use Apple’s update.

Adobe Flash problems aren’t solved after upgrades.

Cybercriminals are already gearing up for the holidays, creating booby traps for likely Halloween and Thanksgiving search terms.

Did your shrink leave town for a convention this week?  If (s)he is attending the San Diego gathering of the American Psychological Association, you might want to text him or her, and warn about the social networking app the convention organizers have made available.  Seems the attendee code on the ID badges double as the log-in codes for the shrink network.  Oops… one wrong digit and you can view someone else’s conference registration data.

CyberJungle FAQ

1. From Steve: Our small business is running rather old PCs. Many of them are over 7 years old, and they take for ever to boot up. We are on a tight budget, we are seeing refurbished PCs with XP and new PCs with Windows7, is it worth the extra money to upgrade to Windows7? Will we get improved security?

A: YES, and your company can purchase refurbished PCs running Windows7. Get the 64 bit version, and upgrade to Office2010, for improved security and productivity.

2. From Malik: We are having a lot problems with our business email server. We are a company with less than 20 employees, but we are spending a lot of money with our IT guy on the server, where the email, and our filesve. He says we should buy a new server. The one we have is about 5 years old. Should we buy a new server, or, should we look at switching to something like gmail?

A: Get a new, smaller file server that runs Windows2008, or (even better) Linux. Buy business-grade email services from a quality firm that offers hosted Microsoft Exchange, or Open Source Zimbra.

3. Andrew: Our employees want to use their own iPads at work. They want to access work files, do email, take notes, and do other tasks. If they want to buy the iPads on their own, what are the risks to our business.

A: Plenty. Ediscovery, loss of business data, are just two. Wait a few months as business-grade alternatives to iPads are released. They are just about to be launched into the market for just your situation.

Episode 162 – su root edition:

This is our unedited edition, featuring a longer and more technical conversation with Wayne Huang of Armorize, discussing his early research that led to the discovery of drive-by downloads  The audio file is 35 minutes long.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 162)  via the flash player:

August 8, 2010 – Episode 160 and 161 from DefCon 18

Posted in Conference Coverage, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 7, 2010 by datasecurityblog

Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of three conversations  from DefCon 18.  Scroll down to the end of this batch of shownotes to find it.

Episode 161:

This week’s regular episode of  The Cyberjungle  is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 161 via the flash player:

Interview:

Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store.  He’s found major flaws in these router/firewalls.  This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161.  Or you can just listen to the interview by going to our conference notes page.  Also, here are some links to more information about Craig’s work:

Craigs Hefner’s White Paper on this attack

Craigs Hefner’s DefCon18 presentation slides

Craigs Hefner’s Proof-of-Concept code

Tales from the Dark Web:

Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident.  We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning.  There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified.  Lamo now denies that he ever had possession of top secret documents.  The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.

Our Take on This Week’s News:

The National Science Foundation has a porn problem according to Senator Chuck Grassley.  Seems the science guys are passing around porn despite technical measures taken by the agency to block it.  Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000.  So do the math.  This guy makes $290k per year???  WTF!!!

BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?

Apple remote jailbreak flaw. Major Flaw Uncovered in Apple iPhone/iPad/iPod

Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.

We stumbled over the Social Engineering contest at DefCon18.   A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info.  Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer.  The audio file is located about half-way through the story.)  Read about the Social Engineering organization here.

The annual session on physical lock security is always a hit. (This year there was more than one.)  We attended the presentation by Marc Weber Tobias.  His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200  fingerprint biometric, the electronic RFID military lock and even a personal safe.  You can see the videos here, demonstrating how the locks were breached.

Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column.  The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden.  Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.

Adobe plans emergency patch for critical Reader bug

If we don’t laugh, we’ll probably cry.  For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports.  Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library?  And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities.  Duh.  Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?

Episode 160 – su root edition:

This is our unedited edition, featuring three interviews straight from DefCon 18.  The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 160)  via the flash player:

Episode 157 – July 25, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , on July 24, 2010 by datasecurityblog

You can hear episode 157 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 157 is one hour and 10 minutes long.

Interviews

Dr. Charlie Miller, Principal Analyst for Independent Security Evaluators,  offers a preview of his DefCon presentation about cyberwarfare to be given in Las Vegas at the end of the month.  “Kim Jong-il and Me.” (Yes he’s that Charlie Miller.) Charlie says he really didn’t feel qualified to address the topic of cyberwarfare when he was first asked, but then decided to treat the request as an opportunity to play a game in he pretended he was approached by a rogue government for the purpose of building a cyberarmy.  What would it take?  Hear Charlie’s interview about 23 minutes into episode 157.

Retraction

The CyberJungle mistakenly reported that it is not possible to turn off an Apple iPad and iPhone feature that reports the owner’s location to the Big A twice daily.  We oversimplified this story and we got it wrong.  We have been informed by our favorite Apple connoisseurs that it is possible to turn the feature off.  We apologize for the misinformation. We have removed the segment from the podcast, so it won’t be heard again,  and we will note in next week’s radio show that we were incorrect.

Tales from the Dark Web

If you’re using Microsoft Windows this attack is aimed at you.  (Raise your hand if you aren’t using Microsoft Windows.)  Here is the MSFT Advisory on the Microsoft Link Attacks. Here is an explanation of the attack and video demo from Sophos.

Our Take on This Week’s News

A consumer survey that measured for the first time customer satisfaction with social media sites reports that — are you sitting down? — people hate Facebook.  It scored lower than the airlines and the cable companies, and even lower than the IRS.

A watchdog organization reports that White House Emails Show More Extensive Improper Contact With Google. The National Law and Policy Center posts links to its letter to the House Committee on Oversight and Government Reform, asking for an investigation of the relationship between Google and its former lobbyist who now occupies the top advisory position to president Obama on internet policy.  There are also links to some of the emails, which seem to support the conclusion that Deputy Chief Technology Officer Andrew McLaughlin is helping to stack the policy deck in Google’s favor on a number of issues.

And while we’re at it, was Google providing intelligence data to the federal government as part of its WiFi Streetview program?

This should freak you out. A Woman found a webcam hidden inside a copy of Chicken Soup for the Soul, which was on a bookcase in her bedroom, pointed directly at her bed.  We found a source for these cameras, which are supposed to be a security tool,  for less than 50 bucks.

Get comfy on the patio with a cold brew and read this great story about a fake infosec chick who persuaded her social networking pals — mostly guys who know secrets related to national security — to forget themselves and reveal a lot of stuff they aren’t supposed to give up.  To anyone.  The girl — Robin Sage — was named after a military training exercise, which was just one of many clues that “screamed fake,” according to her creator, a security researcher whose ruse has demonstrated something we all knew.  Only James Bond can flirt with an exotic hottie and not get burned.

GM suffers theft of hybrid technology worth an estimated $40million. Insider stole information by using a portable USB drive. Data allegedly sold to at least one Chinese auto maker, Chery.

Major Zero-day flaw in Apple’s Safari browser discovered, Apple ignored the warnings so well-known researcher goes public.

Some Dell replacement motherboards come pre-loaded with malware.

July 4th, 2010 – Episode 151

Posted in Annoucements, Breach, Court Cases, criminal forensics, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on July 3, 2010 by datasecurityblog

You can hear Episode 151 by clicking on the flash player below, or you can go to our listening options page, and find other ways to receive the show. Episode 151 is one hour and ten minutes long.

Interview Segments:

Interview – Laptop security – it’s part psychology, part technology. Dr. Larry Ponemon from the Ponemon Institute shares his research on laptop theft.  The interview is about ten minutes long, and it starts about 54 minutes into the show.

Interview – David Thompson is co-author of Wild West 2.0, a book that explains what’s happening as the wild web matures, and becomes civilized.  The book takes a historical approach, by drawing parallels between the internet and the wild American frontier, and the disruptions to society as “gentrification” occured — and newbies began to inhabit those spaces.

Event Announcement- Sierra Nevada Infragard

Get smart about smart phone policy in the workplace:

The InfraGard Sierra Nevada Members Alliance is holding its summer meeting on Thursday, July 15, 2010, on the topic of an urgent workplace hazard: Employee-Owned Smartphones—Accessing Workplace Email and Data. A panel of data security and legal experts will cover the technology, human resource, and legal issues related to smartphones in the workplace.

This is a lunch-time event. Donation is $8 buys a light lunch and the admission.  The location is: The Regional Public Safety Training Center, 5190 Spectrum Boulevard, Room #102A, Reno, Nevada

Pre-registration/RSVP

Our Take on This Week’s News

America is riddled with politically motivated surveillance,or so reports the American Civil Liberties Union. Here’s the ACLU report on police infiltration and monitoring of citizen activity in 33 states and the District of Columbia.

Don’t think about lying in family court… divorce lawyers are finding out the real scoop on facebook.

Best Buy tries to fire employee for satire.  The employee was worked three years selling mobile phones for Best Buy.  But the company didn’t appreciate it when its mobile phone expert created a video poking fun at the irrational appetite for iPhone. WARNING: Do not listen to this at work without headphones; potty mouth alert!

Voice mail hacking –  an example of an app that allows  CallerID spoofing.  Anyone can get into many voice mail accounts without a password, and can listen to messages, alter settings, or even create a new voice mail greeting.

Growing risks of advanced attack threats — eighty percent of businesses have been hit.

The government of India has ordered Skype, RIM (Blackberry) and Google to provide a way for its security agencies to intercept messages.  Why is this important? Two reasons:  1) we all do business with India in some indirect fashion.  Someone you are doing business with is doing business with companies in India.  2)  Giving a back door to the Indian government is, in effect, giving it to the world.  The companies have 15 days to comply with the order or be banned from doing business in India.

FBI’s Internet Crime Complaint Center (IC3) reports a spam attack that appears to come from one of your friends who is stuck overseas without money or passport.  Needs help.

The accused Russian Spies had an interesting bag of tricks that included the use of steganography. That’s the art and science of hiding messages in plain site, by embedding the information in the text of another document, or in a photo or a piece of art.  It’s not just a tool for spies. You, too, can use steganography to protect your privacy.

June 26, 2010 – Episode 149

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Report Security Flaws, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 26, 2010 by datasecurityblog

You can listen to Episode 149 by clicking on the flash player below, or go to our listening options page for a list of other ways to receive the show.  Episode 149 is one hour and 15 minutes long.

To listen to Episode 149 via the flash player:

Interviews:

Your employees will use social media whether you like it or not… and our expert says fully20 percent of current business communication is done via social media. So why not take control of the situation, and create ground rules and guidelines, so you’re in charge of how it’s used?  Our interview with Gartner Research Director Andrew Walls is 8 minutes long and starts about 24 minutes into the show. This is an excerpt. We also posted the entire 25-minute interview on our conference notes page, if you’d like to hear it.

In our interview with Ed Rowley of M86 Security, we discuss a new iPhone scam……… The interview starts 61 minutes into the show.

Tales from the Dark Web

Polymorphic attacks are making the lastest drive-by infected web sites mostly invisible to signature-based anti-virus.

Our Take on This Week’s News

iPhone 4 and Motorola Droid X released in the same week.  Guess which phone won the hype war?  The press coverage of the iPhone release centered on the ecstatic throngs of Apple heads waiting all night on the sidewalk outside the stores.  The Android roundup consisted of dry product reviews and analysis of the platform’s future prospects.

Meanwhile smart phone security is a hot topic, and Ira just returned from the Gartner Security and Risk Management Summit, where there was a comprehensive session on the subject.

Speaking of phones… congress is holding hearings on cellphone tracking of citizens by government.

Employers are in denial about the sensitive information that lives on the laptops and smart phones of their employees. Listen to our interview with Kevin Beaver of Principle Logic, who found an interesting gap between perception and reality while he was conducting security audits.  The interview is just over 4 minutes long, taped at the Gartner conference. Look for it on our conference notes page.

Scotland Yard cuffs teens alleged to be participants in the largest English-speaking cybercrime forum in the world.

Lawyers breach medical records during discovery. Anthem spokesperson says, not to worry, the data was only accessible for a short period of time.  Thank goodness!

FBI released information about a new approach to banking attacks with a simultaneous denial of service attack on the account holdder’s phone lines.  Very complicated.

Happy Birthday to George Orwell.  His influence cannot be understated.  He would have been 107 years old on June 25, 201o.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers