Archive for two factor

Data Security Podcast Episode 56 – June 8 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on June 7, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Twitter users are the target of a new, malicious web re-direct. How will The President’s new cybersecurity plan impact you? One of the nation’s top cryptographers weights in. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Paul Kocher, President and Chief Scientist of Cryptography Research, Inc. about The Obama Administration’s new cybersecurity plans.

–> Tales From The Dark Web: Finjan‘s CTO Yuval Ben-Itzhak talks with us about a new web re-direction attack targeting users of Twitter.

–> From The News: Is there a constitutional right to informational privacy? The Ninth Circuit Court suggests there is by issuing an injunction in favor of contract employees at NASA who objected to invasive background investigations. But then the full Court declined to hear the case. So the question won’t be settled any time soon, but it raises some interesting issues.

Judge Kozinsky’s dissent (we should hear the case)

Judge Wardlaw’s concurrence (we shouldn’t hear the case)

A dissection of the privacy issues by legal blogger Eugene Volokh at the Volokh Conspiracy. Don’t scroll — the link will take you to the top of the blog, and then jump to the correct post.

–> The Wrap:  Autorun Worm Invades ZIP

Autorun Worm Invaded Zip Files

Autorun Worm Invaded Zip Files

StrongWebMail Bounty Attack – Caveat Emptor

Posted in Breach, eMail Security, Exclusive, web server security with tags , , , , , on June 7, 2009 by datasecurityblog

StrongWebMail has received publicity for the $10,000 bounty that the company’s chief executive offered if someone could break into his web mail account.The executive, Darren Berkovitz, posted his StrongWebMail username and password on the company web site.

IDG is reporting that three information security professionals are now claiming that they were able to pwn (“own”) Mr. Berkovitz’s StrongWebMail account. Although their exact method has not been revealed, IDG is reporting that the StrongWebMail site was vulnerable to cross site scripting attacks.

The Data Security Podcast had a conversation with Darren Berkovitz on Friday June 5th.

He was not yet ready to talk about the StrongWebMail bounty attack. But, he agreed to do so in the coming week. That conversation will be posted on June 15th, in Episode 57 of the Data Security Podcast.

He did talk with us on Friday about his service in general, and about the challenges of market adoption of multi-factor authentication.

StrongWebMail’s parent company, Telesign is a provider a phone focused multi-factor authenticaion services. The service allows owners of web sites to validate users with a phone call to end users. That call can contains a validation code, for use on the web site, in addition to a username/password pair. StrongWebMail is, in some ways, a proof of concept that is designed by Telesign to demonstrate the acceptance of multi-factor authentication for the world’s most popular web application: web mail.

According to Mr. Berkovitz, StrongWebMail uses an off-the-shelf web mail application once users get pased validation.

And, that may be the chink in the armour that security researchers used. Rather than attacking the multi-factor element, IDG reports that the researchers created their own StrongWebMail accounts. They then used those accounts to launch attacks that allowed them “hop over” from one user account to another, including, allegedly, hopping over to Mr. Burkovitz’s account.

If they waited for Mr. Berkovitz to log in, and then hopped over to his account, that could be a method to gain access to his account. If this indeed  isthe nature of the bounty attack, then it would re-emphasis the important of securing the code of web appliations.  The best multi-factor systems cannot compensate for weaknesses in a web application.

So, if we are on the right track, then this is not a story about the weaknesses of a two factor authenticaion system. This may simply be another example of the importance of security in web-based, or so-called cloud computing, applications. That even includes web sites that assure customers that “our site is secure,” or even when the site has names, icons, or other technolgies associated with information security in general.

Data Security Podcast Episode 52 – May 11 2009

Posted in Breach, darkweb, Podcast, Vulnerabilities, web server security with tags , , , , on May 11, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Cross Site Forgery Attacks; A different approach to stopping malicious code. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> Stream, subscribe, or download via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 52 of The Data Security Podcast

-> Ira has a conversation with Tom Murphy, Senior Strategist with Bit9 about whitelisting approved applications, rather than a signature based approach to blocking.  Bit9 offers white papers on the topic.

-> Tales From The Dark Web: Cross Site Forgery Attacks and other attacks targeting sites using Web2.0 applications are highlighted in this report.

–> Be sure to read a new feature on our web site: Lame Excuses, the dumb statements by people who should have been responsible for securing information.  We welcome your contributions.

-From The News: Report: Web application security and IDS in air traffic control systems.

Data Security Podcast Episode 50 – Apr 27 2009

Posted in Breach, Conference Coverage, criminal forensics, darkweb, ediscovery, Podcast, Vulnerabilities with tags , , , , , , on April 26, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – RSA Security confab report; A new way to protect against piracy: two-factor authentication. And, our take on this week’s news

–> Stream, subscribe or download Episode 50 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.  Tune in or subscribe via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 50 of The Data Security Podcast

-From The News: Your tax dollars at work… paying a non-PCS compliant company to process your tax dollars. Here’s a copy of Uncle Sam’s contract with RBS Worldpay, which announced a major data breach in December, and which Visa has declared to be non-compliant.

- From The News: Rogue WiFi hotspots at RSA Security, according to scans by AirPatrol.

-> RSA Security confab links: Yubico, BehavioSec, NetworkIntercept, MokaFive, AlertEnterprises.

Parabens Wireless StrongHold Bag

Paraben CEO, Amber Schroader, shows us the Parabens Wireless StrongHold Bag at RSA San Francisco

-Tales From The Dark Web: How a cybergang operates a network of 1.9 million infected computers.

-Conversation: Ira talks two factor authentication for software, music and movies with Stina Ehrensvärd of Yubico.

Data Security Podcast Episode 34 – Jan 04 2009

Posted in darkweb, eMail Security, Podcast, Uncategorized with tags , , , , , , , , , on January 4, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Is Google logging the keystrokes on your computer? New attack on fingerprint readers .  Plus, this week’s data security news.

–> Stream, subscribe or download Episode 34 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

In the Data Security News This Week:

From a Seattle Times article:  After 6 months, drivers ignoring cellphone ban

Are drivers are ignoring cell phone bans?

Cell Phone Ban, by Theo Moudakis

From TimesOnline:  The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

DATA SECURITY PODCAST KUDOS: We have been very hard on government agencies, because many of them are bad a protecting data. Here is an exception to the rule;  the Chief Information Security Officer for The State of Michigan, Dan Lohrman.

Tales from The Dark Web:  Woman buys fingerprint spoofing tape  from counterfit ID broker

Conversation: Ira talks with Robert Gelb of the AngryHacker.com Blog about desktop keylogging concerns with Google Desktop Search, and possible data hijacking concerns when using Google Docs.

Data Security Podcast Episode 29 – Dec 2 2008

Posted in Podcast with tags , , , , on December 2, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Virus via USB hits 75% of the PCs on a military base; New vascular biometric sign-on; and the latest data security news.

–> Stream, subscribe or download Episode 29 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Anti-Spam Service

Program Notes for Episode 29

From the news: If you haven’t updated Windows OS systems with the emergency Microsoft Patch MS08-067 (released in October), find out about it here.

One of many postings on by-passing web URL filters, this posting has a YouTube how-to video that you can show non-technical managers.

Tales From The DarkWeb: Computer Virus [Via USB Thumb Drive] Hits U.S. Military Base in Afghanistan; U.S. military officials speculate the cyber attack may have originated in China

Conversation: Ira talks with Jerry Byrnes about vascular biometric technologies for two factor authentication.

Follow

Get every new post delivered to your Inbox.

Join 1,106 other followers