Archive for Surveillance cameras

Episode 157 – July 25, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , on July 24, 2010 by datasecurityblog

You can hear episode 157 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 157 is one hour and 10 minutes long.

Interviews

Dr. Charlie Miller, Principal Analyst for Independent Security Evaluators,  offers a preview of his DefCon presentation about cyberwarfare to be given in Las Vegas at the end of the month.  “Kim Jong-il and Me.” (Yes he’s that Charlie Miller.) Charlie says he really didn’t feel qualified to address the topic of cyberwarfare when he was first asked, but then decided to treat the request as an opportunity to play a game in he pretended he was approached by a rogue government for the purpose of building a cyberarmy.  What would it take?  Hear Charlie’s interview about 23 minutes into episode 157.

Retraction

The CyberJungle mistakenly reported that it is not possible to turn off an Apple iPad and iPhone feature that reports the owner’s location to the Big A twice daily.  We oversimplified this story and we got it wrong.  We have been informed by our favorite Apple connoisseurs that it is possible to turn the feature off.  We apologize for the misinformation. We have removed the segment from the podcast, so it won’t be heard again,  and we will note in next week’s radio show that we were incorrect.

Tales from the Dark Web

If you’re using Microsoft Windows this attack is aimed at you.  (Raise your hand if you aren’t using Microsoft Windows.)  Here is the MSFT Advisory on the Microsoft Link Attacks. Here is an explanation of the attack and video demo from Sophos.

Our Take on This Week’s News

A consumer survey that measured for the first time customer satisfaction with social media sites reports that — are you sitting down? — people hate Facebook.  It scored lower than the airlines and the cable companies, and even lower than the IRS.

A watchdog organization reports that White House Emails Show More Extensive Improper Contact With Google. The National Law and Policy Center posts links to its letter to the House Committee on Oversight and Government Reform, asking for an investigation of the relationship between Google and its former lobbyist who now occupies the top advisory position to president Obama on internet policy.  There are also links to some of the emails, which seem to support the conclusion that Deputy Chief Technology Officer Andrew McLaughlin is helping to stack the policy deck in Google’s favor on a number of issues.

And while we’re at it, was Google providing intelligence data to the federal government as part of its WiFi Streetview program?

This should freak you out. A Woman found a webcam hidden inside a copy of Chicken Soup for the Soul, which was on a bookcase in her bedroom, pointed directly at her bed.  We found a source for these cameras, which are supposed to be a security tool,  for less than 50 bucks.

Get comfy on the patio with a cold brew and read this great story about a fake infosec chick who persuaded her social networking pals — mostly guys who know secrets related to national security — to forget themselves and reveal a lot of stuff they aren’t supposed to give up.  To anyone.  The girl — Robin Sage — was named after a military training exercise, which was just one of many clues that “screamed fake,” according to her creator, a security researcher whose ruse has demonstrated something we all knew.  Only James Bond can flirt with an exotic hottie and not get burned.

GM suffers theft of hybrid technology worth an estimated $40million. Insider stole information by using a portable USB drive. Data allegedly sold to at least one Chinese auto maker, Chery.

Major Zero-day flaw in Apple’s Safari browser discovered, Apple ignored the warnings so well-known researcher goes public.

Some Dell replacement motherboards come pre-loaded with malware.

July 4th, 2010 – Episode 151

Posted in Annoucements, Breach, Court Cases, criminal forensics, ediscovery, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on July 3, 2010 by datasecurityblog

You can hear Episode 151 by clicking on the flash player below, or you can go to our listening options page, and find other ways to receive the show. Episode 151 is one hour and ten minutes long.

Interview Segments:

Interview – Laptop security – it’s part psychology, part technology. Dr. Larry Ponemon from the Ponemon Institute shares his research on laptop theft.  The interview is about ten minutes long, and it starts about 54 minutes into the show.

Interview – David Thompson is co-author of Wild West 2.0, a book that explains what’s happening as the wild web matures, and becomes civilized.  The book takes a historical approach, by drawing parallels between the internet and the wild American frontier, and the disruptions to society as “gentrification” occured — and newbies began to inhabit those spaces.

Event Announcement- Sierra Nevada Infragard

Get smart about smart phone policy in the workplace:

The InfraGard Sierra Nevada Members Alliance is holding its summer meeting on Thursday, July 15, 2010, on the topic of an urgent workplace hazard: Employee-Owned Smartphones—Accessing Workplace Email and Data. A panel of data security and legal experts will cover the technology, human resource, and legal issues related to smartphones in the workplace.

This is a lunch-time event. Donation is $8 buys a light lunch and the admission.  The location is: The Regional Public Safety Training Center, 5190 Spectrum Boulevard, Room #102A, Reno, Nevada

Pre-registration/RSVP

Our Take on This Week’s News

America is riddled with politically motivated surveillance,or so reports the American Civil Liberties Union. Here’s the ACLU report on police infiltration and monitoring of citizen activity in 33 states and the District of Columbia.

Don’t think about lying in family court… divorce lawyers are finding out the real scoop on facebook.

Best Buy tries to fire employee for satire.  The employee was worked three years selling mobile phones for Best Buy.  But the company didn’t appreciate it when its mobile phone expert created a video poking fun at the irrational appetite for iPhone. WARNING: Do not listen to this at work without headphones; potty mouth alert!

Voice mail hacking –  an example of an app that allows  CallerID spoofing.  Anyone can get into many voice mail accounts without a password, and can listen to messages, alter settings, or even create a new voice mail greeting.

Growing risks of advanced attack threats — eighty percent of businesses have been hit.

The government of India has ordered Skype, RIM (Blackberry) and Google to provide a way for its security agencies to intercept messages.  Why is this important? Two reasons:  1) we all do business with India in some indirect fashion.  Someone you are doing business with is doing business with companies in India.  2)  Giving a back door to the Indian government is, in effect, giving it to the world.  The companies have 15 days to comply with the order or be banned from doing business in India.

FBI’s Internet Crime Complaint Center (IC3) reports a spam attack that appears to come from one of your friends who is stuck overseas without money or passport.  Needs help.

The accused Russian Spies had an interesting bag of tricks that included the use of steganography. That’s the art and science of hiding messages in plain site, by embedding the information in the text of another document, or in a photo or a piece of art.  It’s not just a tool for spies. You, too, can use steganography to protect your privacy.

June 26, 2010 – Episode 149

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Report Security Flaws, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 26, 2010 by datasecurityblog

You can listen to Episode 149 by clicking on the flash player below, or go to our listening options page for a list of other ways to receive the show.  Episode 149 is one hour and 15 minutes long.

To listen to Episode 149 via the flash player:

Interviews:

Your employees will use social media whether you like it or not… and our expert says fully20 percent of current business communication is done via social media. So why not take control of the situation, and create ground rules and guidelines, so you’re in charge of how it’s used?  Our interview with Gartner Research Director Andrew Walls is 8 minutes long and starts about 24 minutes into the show. This is an excerpt. We also posted the entire 25-minute interview on our conference notes page, if you’d like to hear it.

In our interview with Ed Rowley of M86 Security, we discuss a new iPhone scam……… The interview starts 61 minutes into the show.

Tales from the Dark Web

Polymorphic attacks are making the lastest drive-by infected web sites mostly invisible to signature-based anti-virus.

Our Take on This Week’s News

iPhone 4 and Motorola Droid X released in the same week.  Guess which phone won the hype war?  The press coverage of the iPhone release centered on the ecstatic throngs of Apple heads waiting all night on the sidewalk outside the stores.  The Android roundup consisted of dry product reviews and analysis of the platform’s future prospects.

Meanwhile smart phone security is a hot topic, and Ira just returned from the Gartner Security and Risk Management Summit, where there was a comprehensive session on the subject.

Speaking of phones… congress is holding hearings on cellphone tracking of citizens by government.

Employers are in denial about the sensitive information that lives on the laptops and smart phones of their employees. Listen to our interview with Kevin Beaver of Principle Logic, who found an interesting gap between perception and reality while he was conducting security audits.  The interview is just over 4 minutes long, taped at the Gartner conference. Look for it on our conference notes page.

Scotland Yard cuffs teens alleged to be participants in the largest English-speaking cybercrime forum in the world.

Lawyers breach medical records during discovery. Anthem spokesperson says, not to worry, the data was only accessible for a short period of time.  Thank goodness!

FBI released information about a new approach to banking attacks with a simultaneous denial of service attack on the account holdder’s phone lines.  Very complicated.

Happy Birthday to George Orwell.  His influence cannot be understated.  He would have been 107 years old on June 25, 201o.

June 20, 2010 – Episodes 147 and 146

Posted in Breach, Court Cases, criminal forensics, darkweb, eMail Security, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on June 19, 2010 by datasecurityblog

Episode 147 is the this week’s full episode of The CyberJungle.  Episode 146 is the su root edition for advanced listeners – too technical for the radio.

Episode 147-

This week’s show is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 147 via the flash player:

Interviews:

David Perry, Global Director of Education for TrendMicro. David just flew back from the international Anti-Phishing Working Group Conference in Sao Palo Brazil. David became really animated when I asked him about details regarding a huge cybercrime armies in China.  David recommends the Counter-Measures Blog by TrendMicro. This conversation is about 9 minutes long, and starts about 21 minutes into the show.  For the full 36-minute interview, which was too long and technical to air on the radio, scroll down to Episode 146.

ALSO – Security Software entrepreneur Phil Lieberman President of Lieberman Software, who has been serving as an adviser to members of the U.S, Senate on the cybersecurity bill…. sweeping new legislation that could impact every department in the Federal Government, and data security at the Ssate level.  That interview begins about 58 minutes into the show.

Tales from the Dark Web:

A 21-year-old cybercriminal parlayed his talent into  a Porsche, expensive watches and £30,000 in gold bullion. He’s been arrested.

Our Take on This Week’s News:

The rush to deploy smart meters:  Federal stimulus money can get you high, and it makes decision-makers really stupid.  The smart meters are among several advanced systems being deployed before they’re really ready, in terms of their vulnerability to cybercrime. BTW — Kudos to cnet’s Elinor Mills who wrote the article above. Well researched and thorough.

Buy a Chevy Volt – Get a Free Government Surveillance Device! Yes, if you’re one of the first to purchase, you’ll receive a super-fast charger for your garage… and it reports back to big brother on the details of your daily driving.

And if you like reporting to big brother about your driving habits, maybe you should move to the UK, where the cops have stored 7.6 billion images of cars moving through the streets.  HMP Britain is an interesting blog that’s posted the response to its FOIA request about the use of the data taken from CCTV —  a surveillance method ubiquitous in Britain.  HMP stands for “Her Majesty’s Prison” and it’s a prefix in the name of the slammer in every jurisdiction.  HMP Nottingham, etc…. The name of the website suggests the entire nation is a prison, according to its proprietor.

Sorry, wrong number:  Another week, AT&T and Apple team up for another giant blunder. Customers who logged onto their AT&T accounts to order the new iPhone 4 were greeted with someone else’s account information. Has anyone at these companies heard of web application security?

Goatse Security published a serious security flaw in Safari browser that impacts on the iPhone/iPad back in March. Apple has still not patched that flaw, and the code is available on the internet for any attacker to see.

The Disgruntled Employee Chronicles, Chapter 359:  How many times does this story have to play out before managers begin to realize that when you fire someone,  you have to terminate their user name and password.  This former employee was creating havoc inside the hospital’s network after he no longer worked there.

A serious flaw in Windows XP – No patch available. Bad guys taking advantage of the situation. Time to upgrade to Win 7 already? (Come on, Tommy Turtle… do it.)  Go here for information about some other measures you can take.

At last! A data breach story with a happy ending!  Department of the Interior lost a CD containing personal data for 7500 federal employees… but wait a minute…. The data was encrypted and password protected.  And the department reviewed its procedures to make sure it doesn’t happen again.  And they disclosed the loss of the disk within 10 days.  And then pigs started flying out the windows of the Department of the Interior building.  (Just kidding.  We salute the Department of the Interior. If only other federal agencies would implement and follow best practices.)

The good folks at EFF offer yet another great privacy and security idea!   HTTPS everywhere. It’s a Firefox plug-in that encrypts popular search engine and social media sites.  Also allows you to customize sites you visit frequently. Check it out.

More about the Google StreetView debacle.  The roaming hacker cars grabbled user names and passwords, including for email accounts.

Everything Old is New Again. The USB typewriter, for instance.  Cute, but can you imagine hauling it onto an airplane?

Episode 146- su root Edition:

This is our unedited interview wth David Perry, Global Director of Education for TrendMicro. We had a long conversation about iPhone security, web application security, and malware attacks. ALSO — David discusses an army of 300,000 Chinese cybercriminals.  The interview is 36 minutes long. Click on the flash player below, or go to our listening options page and browse for other was to hear the show.

To listen to Episode 146 via the flash player:

May 23, 2010 – Episode 139

Posted in Court Cases, criminal forensics, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , , on May 22, 2010 by datasecurityblog

Interview Segment:

Josh Levy, a writer, internet strategist, and the organizer of a project called “pledge to leave facebook.” The interview is 9 minutes long, and it starts about 56 minutes into the show. Episode 139 is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or click on the listening options page for other ways to listen.

To listen to Episode 139 via the flash player:

Our take on this week’s news:

Co-host Ira Victor is out of town.  Lee Rowland from the ACLU of Nevada sits in as guest co-host for a first-hour privacy round-up.  Recent issues include:

The Houston Police Department recently held a secret (no media allowed) event where the invited guests contemplated the use of drone aircraft for domestic law enforcement.  Nonetheless,  one news outlet got wind of it, and stationed its television cameras on the property next door. They caught the launch of the drone on camera.  Cops say they aren’t sure how they’ll use the technology, but aren’t ruling out anything. Watch the whole report.  It’s about four minutes long.

Incoming U.C. Berkeley freshmen are being encouraged to offer a  DNA sample.  And why were RFID chips implanted in Alzheimers patients without proper oversight?

TSA continues to roll out the full body scanning machines to airports across the nation.  Passengers don’t seem to be aware that they can opt for a pat-down instead of a virtual strip search.

Tough week for Facebook.  The Wall Street Journal reports the company gave personal info to advertisers. EFF offers insight.

On the heels of a CBS news investigative report about the data left on copy machine hard drives, the FTC is applying pressure to the makers of the machines to educate customers about scrubbing the hard drives.  (Xerox is leading the pack, according to one account.)

The first-ever jail sentence for a HIPAA violation has been imposed. We wonder why this guy was informed he was about to be fired, and then allowed to hang around and access patient records repeatedly.

Todd Davis of LifeLock told the world his social security number as an advertising gimmick, trying to prove a point, of course.  His identity has been successfully stolen 13 times since being “covered” by LifeLock.

Not cool enough for a mac?  Why the Apple Store refused to sell an iPad to a disabled woman. (She wanted to pay cash. Apple’s iPad policy was credit or debit card only.) And why Apple relented, and delivered the device to her home a few days later. (San Francisco television consumer reporter Michael Finney and his news feature “7 on Your Side” shamed them into it.)

May 8, 2010 – Episode 135

Posted in Breach, criminal forensics, ediscovery, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , on May 9, 2010 by datasecurityblog

Interview segment

If your company accepts credit cards, listen to our featured interview with Richard Moulds from security firm Thales.  He and Ira discuss the upcoming revision of Payment Card Industry standards. (Standards are set  by the PCI Security Standards Council).  Thales sponsored a survey of PCI auditors, to discover where they believe the weak spots are, and where improvements should be made. The interview is 11 minutes long, and it starts 56 minutes into Episode 135.

You may listen to to Episode 135 on via the flash player:

You may download the MP3 file here; or go to the listening options page for other ways to hear the program.

Our Take on This Week’s News

FedGov wants to snoop into your financial transactions: As most major news organizations have reported, there are potential privacy hazards for consumers and merchants lurking in the federal financial reform bill.  Republicans objected last week to the creation of two agencies that would be empowered to scrutinize purchases made on credit. We’re thankful the subject was raised, but we note that the Republicans very likely were using consumer privacy as a bargaining chip to get other changes in the bill that they consider truly important.  Let’s not be lulled into believing that citizen privacy is not a priority for any legislator when there are other issues on the table. Sure enough, this article, published a day and a half later, bears out our assertion.  It’s a three-page report indicating that Republican objections had been trounced.  In three pages of reporting, not a mention of the privacy concerns, so it’s clear that other matters dominated the discussion, and any concerns over privacy must have evaporated in the backroom discussions.

BTW –  those two snooping “consumer protection” agencies would be located within the Federal Reserve and the U.S. Department of Treasury.  Well, it seems that Treasury is having some data security problems right now.  PandaLabs has located easy-as-pie hacker kits with targets that include the U.S. Treasury.

Computer glitches hamper census:  Remember how much money and effort was spent persuading you to return your census form?  Now the GAO reports fairly significant problems with the computer system that was specially designed for processing the paper responses.  For the moment, they’re reporting major cost overruns — AND — that a lot of the paper responses might not be counted anyway.  Why is this in our data security beat?  Because information security has three pillars:  Confidentiality, Integrity, and Availability.  We can rule out data integrity here, because the census data most likely won’t be accurate. Rule out confidentiality, because, as congress has now been informed, stacks of paper responses are piled up in offices waiting to be entered into the system.  And we should probably rule out availability too, unless the many agencies making use of census data want to trudge over to the commerce department and analyze it by hand.

You may have seen this by now:  Hats off to CBS news for their coverage of the copy machine hard drives left unscrubbed when the machines are discarded by business.  Chilling.  Few mainstream news organizations are doing good coverage of these issues, and we hope this CBS reporter wins an award for his excellent work.

The FBI is having some challenges with forensic investigations on smart phones and game consoles. Read why they need to get info from these devices.

WiFi cracking kits make it easier than ever for wireless networks to be hacked.

This Tuesday is Patch TuesdayMicrosoft is offering a webinar to answer customer questions about patching.  Kudos for this public outreach.  But why was Microsoft silent last month, when it issued these patches?

Did fedgov use drones to track the Times Square bomber?  This story has not been reported anywhere else, but the source seems credible.  Leaving us to wonder about the Obama administration’s public preference for giving suspected terrorists constitutional rights.  A terrorist is either a criminal suspect or a combatant.  Not both.  If there is a behind-the-scenes use of military signal intelligence to track criminals, then they are not criminals, they are combatants. Or are they? Let’s decide and stick with one course.

Caller Kevin wanted to know how to diagnose mysterious CPU spikes on his system. Is there a security issue here? Ira promised to look up a free utility that can help. Long ago, when The CyberJungle was still the Data Security Podcast, we reported on MimarSinan’s Rubber Ducky System Monitor. Jim Murray, the creator of this utility, talked with us about how he came up with the software after his wife’s computer system came under attack.

Lovers of Apple can become lovers:  A new dating site for fans of Apple products.  God bless entrepreneurs everywhere.

Follow

Get every new post delivered to your Inbox.

Join 1,126 other followers