Archive for web application security

June 26, 2010 – Episode 149

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Report Security Flaws, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 26, 2010 by datasecurityblog

You can listen to Episode 149 by clicking on the flash player below, or go to our listening options page for a list of other ways to receive the show.  Episode 149 is one hour and 15 minutes long.

To listen to Episode 149 via the flash player:

Interviews:

Your employees will use social media whether you like it or not… and our expert says fully20 percent of current business communication is done via social media. So why not take control of the situation, and create ground rules and guidelines, so you’re in charge of how it’s used?  Our interview with Gartner Research Director Andrew Walls is 8 minutes long and starts about 24 minutes into the show. This is an excerpt. We also posted the entire 25-minute interview on our conference notes page, if you’d like to hear it.

In our interview with Ed Rowley of M86 Security, we discuss a new iPhone scam……… The interview starts 61 minutes into the show.

Tales from the Dark Web

Polymorphic attacks are making the lastest drive-by infected web sites mostly invisible to signature-based anti-virus.

Our Take on This Week’s News

iPhone 4 and Motorola Droid X released in the same week.  Guess which phone won the hype war?  The press coverage of the iPhone release centered on the ecstatic throngs of Apple heads waiting all night on the sidewalk outside the stores.  The Android roundup consisted of dry product reviews and analysis of the platform’s future prospects.

Meanwhile smart phone security is a hot topic, and Ira just returned from the Gartner Security and Risk Management Summit, where there was a comprehensive session on the subject.

Speaking of phones… congress is holding hearings on cellphone tracking of citizens by government.

Employers are in denial about the sensitive information that lives on the laptops and smart phones of their employees. Listen to our interview with Kevin Beaver of Principle Logic, who found an interesting gap between perception and reality while he was conducting security audits.  The interview is just over 4 minutes long, taped at the Gartner conference. Look for it on our conference notes page.

Scotland Yard cuffs teens alleged to be participants in the largest English-speaking cybercrime forum in the world.

Lawyers breach medical records during discovery. Anthem spokesperson says, not to worry, the data was only accessible for a short period of time.  Thank goodness!

FBI released information about a new approach to banking attacks with a simultaneous denial of service attack on the account holdder’s phone lines.  Very complicated.

Happy Birthday to George Orwell.  His influence cannot be understated.  He would have been 107 years old on June 25, 201o.

June 12, 2010 – Episode 145

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , on June 14, 2010 by datasecurityblog

You can hear episode 145 of The CyberJungle by clicking on the Flash player below, or go to our listening options page for other ways to listen. Episode 145 is 69 minutes long.

To listen to Episode 145 via the flash player:

Interview Segments:

We talked with Jason Miller from Shavlik about why some businesses are still playing catch-up from the big Patch Tuesday… and about the Adobe Flash flaw that affects just about everyone on the planet.  Check the patch management site for help. The interview starts about 21 minutes into Episode 145.

We also played an interview from earlier this year with David Shroyer from Bank of America.  This is a short excerpt from a longer conversation about the reaction of the financial services industry to the Zeus banking attacks.  The 7-minute segment we aired today  is about the “money mules” who launder cash for cybercriminals.  The mules are generally suckers who fall for the “work at home in your pajamas and make thousands of dollars with your computer” schemes. This interview starts about 56 minutes into Episode 145.

Tales from the Dark Web:

Visitors to adult sites might encounter some naughtiness that has nothing to do with sex. See the BBC story: ‘Shady’ porn site practices put visitors at risk

Show notes:

AT&T web application flaw combines with Apple business model flaw to allow a major hack of iPad user email addresses.  The story was widely told this week. Here’s one version.  There are a lot more angles to this story than the mainstream press has covered.

British Petroleum is in for an e-discovery gusher once the Gulf oil spill litigation begins.  Court orders for documents will follow, and cost of discovery could top $100 million, according to this post.

Adobe Flash and Adobe PDF attack surge.

FIFA 2010 World Cup is inspiring a wave of malicious spam tailored to soccer fans.  Symantec has a good overview of “Crimes Against Football Fans” here.

Google has hired an independent firm to investigate its Street View “snafu,” in which its photographer’s vehicles snarfed up information from thousands of private wifi networks, violating privacy and perhaps breaking the law.  The report from the company’s own investigators suggests criminal intent.

Prepaid cell phones are the last available communication device that offers privacy and anonymity.  But two U.S. Senators would like to put an end to it.  Schumer (NY) and Cornyn (TX) want to register the ID of phone purchasers and require the carriers to keep the data for 18 months after deactivation.

Google expands location tags – and other popular location services are riddled with bugs, according to this report.

Beverly High School students in Boston will be required to have a laptop next fall. But not just any laptop.  Parents will have to shell out $900 for a MacBook.  School administrators say PCs will be incompatible with the school’s network. What?

Our Tether contest – win wireless access for your BlackBerry

Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143.   You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.)  We award the prize to the first ten requests of the week.  Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.

BTW — there is a :60 second Tether commercial in these shows.  We are running them as a thank-you to Tether for the software keys.  We want to acknowledge the people who created some of the components in the spot.  The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production.  The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.”  All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.

June 6, 2010 – Episode 143

Posted in Court Cases, darkweb, Legislation, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , , , , , , , on June 6, 2010 by datasecurityblog

Episode 143 is 71 minutes long. You can listen by clicking the flash player below, or you can click here for more listening options.

To listen to Episode 143 via the flash player:

Interview segment

We talk with Gary Biller, Executive Director of the National Motorists Association, about an Ohio Supreme Court decision that says law enforcement officers do not need to back up their vehicle speed estimate with reports from a radar reading; eyeballing it is good enough. The Ohio press reports. The interview starts about 20 minutes into Episode 143.

Tales From The Dark Web

Mac Attack: Spyware trojan hitching ride on third-party screensavers for the Mac.

Advice to those sent their questions to the CyberJungle mailbox

Site for alternative PDF readers:  http://pdfreaders.org

Site for scrubbing hard drive before you give your computer away: Darik’s Boot And Nuke

Our take on this week’s news

Researchers from the mobile industry and academia are analyzing the detailed call and text record databases from mobile phones, along with users’ geographic movement.  Information about how and when people move about promises a handsome revenue stream for cell phone carriers.

Wall Street Journal report on smartphone attacks. MasterCard launches iPhone, iPad payment app

Fake software sales on criagslist draw attention.  Pirated software can also find its way into retail stores occasionally, too. Microsoft provides a site that helps you figure out whether your software is legit.

Federal Trade Commission settles with CyberSpy Software, LLC.  Settlement requires the company to stop instructing its customers how to send its keylogging product in a stealth email attachment. Also must notify the receiving computer that the software is about to download, and receive consent.  This will put a chill on the spying.

Hackers like the Facebook “Like” button. Only six weeks after its introduction, the Like button is being used for mischief.

Legal intrigue after Digital River  management was alerted that a big batch of the company’s data was circulating , and offered for sale on the black market. Civil and criminal law in play.

Our Tether contest – win wireless access for your BlackBerry

Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143.   You can still enter by sending an email to comments@thecyberjungle.com, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.)  We award the prize to the first ten requests of the week.  Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.

BTW — there is a :60 second Tether commercial in these shows.  We are running them as a thank-you to Tether for the software keys.  We want to acknowledge the people who created some of the components in the spot.  The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production.  The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.”  All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.

Episode 118 and 119 – March 14, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , on March 13, 2010 by datasecurityblog

Episode 118 is the ‘su root’ episode,  our unedited interview with Joe Weiss, author of the forthcoming book, “Protecting Industrial Control Systems from Electronic Threats.” Joe says there’s a  lack of trained personnel to manage system controls in the Smart Grid, and indeed in the entire insdustrial infrastructure.  The results of this understanding gap could be catastrophic. The full-length interview is 24 minutes.

Episode 119 is the weekly podcast of The CyberJungle. Listen by clicking below. This week’s show is 69 minutes long.

Here are the shownotes:

Met Matt Carpenter at RSA. He works as a consultant for InGuardians and specializes in penetration testing for electrical utilities. Pen testing is a complex process of thinking like an attacker, and then simulating what an attacker would do. Matt was a panelist in a number of smart grid sessions, and he brought up some alarming scenarios that highlight the possible hazards of the electrical smart. The interview is about 21 minutes into the show.

This week’s news:

TSA agent injects terrorist watchlist server with destructive code after being given termination notice. He’s been indicted by a federal grand jury on two violations of the Computer Fraud and Abuse act. And he’s out on bail. (We question the wisdom of letting an employee know in advance that he’ll be fired, and then giving him two weeks’ access to systems affecting national security.)

EFF files PUC guidelines for smart meter privacy, as California rolls out the program. Read the comments as they were filed. (Read the 49-page legal document, PDF)

Father and Son Plead Guilty to Selling Counterfeit Software Worth $1 Million.  Why this matters: Malware hidden in the software, you gave permission for the malware to be installed! If the sales are traced back to you, you have to delete the software, and buy it again. You can’t keep car!

How Microsoft’s URL reputation system works: [from windowsteamblog.com]

Episodes 113A, 113B, and 112 su root editon: February 21, 2010

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, Legislation, Podcast, Show Notes, The CyberJungle, web server security with tags , , , , , , on February 21, 2010 by datasecurityblog

Three episodes, one low price. (Free). We posted the show in three parts this week. Episode 113 A is a 35-minute interview on cell phone tracking, posted separately, so that anyone who wants the cybercrime news can skip straight to Episode 113 B.

The other post is the su root edition for the technically proficient. This week it’s an interview with Ben Jun from Cryptography Research, on developing applications that adapt to sweeping changes in technology. A preview of his RSA presentation. It’s 20 minutes long.

Episode 113 A – cell phone tracking interview

This is an interview segment on the legal and technical issues under review by the federal Third Circuit Court of Appeals regarding tracking of cell phone users. Our guests are Rebecca Gasca of the Nevada ACLU and Dr. Nirmala Shinoy of the Rochester Institute of Technology. This segment is 35 minutes long.

The most informative of the documents is the 2008 court order now being appealed, in which a Western Pennsylvania magistrate denied the government’s request for tracking data without a warrant. It’s 56 pages long, but offers a very comprehensive statutory history of the laws that apply to phone tapping and tracking. Newsweek recaps the issue and covers the appeal. http://www.newsweek.com/id/233916

Episode 113B Cybercrime and Security News

A spike in power grid attacks is predicted in the next 12 months. The Project Grey Goose report claims the number and severity of attacks on the existing grid has been underreported.

Coincidentally, Zues and its variants are more severe and widespread than previously reported. The attack is not just stealing money from commercial bank accounts. It’s settled into more than two thousand entities and 74 thousand computers, stealing intellectual property, credit card numbers email and network credentials, and a wide variety of other information. The good news is, it’s finally hitting the mainstream press. Reported this week in the following publications.

CNET: Zeus on 74k PCs in global botnet. “…Compromises of enterprise networks have reached epidemic levels”

NY Times: Malicious Software Infects Corporate Computers. Attack goes well beyond just bank account info stealing.

Wall St Journal: Broad New Hacking Attack Detected

WaPo: Nearly 2500 companies victim of massive cyberattack

The economics of malware- a new report urges us to look at cybercrime differently. It’s not lone gunmen and geeky teens, it’s an entire economy, with mom and pop shops, street vendors, manufacturers and marketers.

A TV news story that suggests banks are using your social networking pages to glean information about your creditworthiness. A company that mines the sites for data and sells it to the banks says nope… the institutions only use it for marketing, not for lending decisions.

A Houston television station launched an investigation of retail credit card practices at the cash register in Sears and K-Mart. Employees at the store accepted credit cards without checking ID or signatures. The reporters made numerous purchases using cards that didn’t belong to them. The stores will “immediately” begin retraining their employees at more than 2,000 combined stores nationwide in techniques for preventing credit card fraud.

Show Notes: The CyberJungle Episodes 103 and 102 Jan 12 2010

Posted in Breach, Court Cases, criminal forensics, Exclusive News, Podcast, Show Notes, The CyberJungle, Vulnerabilities, Zero Day Project with tags , , , , , , , , on January 16, 2010 by datasecurityblog

Two episodes this week: Episode 103 is a podcast version of the live radio program.

Episode 102 is our ‘su root’ podcast, in-depth technical interviews for the more advanced listener.

Overview of this week’s program.  More detailed notes and links provided below under “show notes.”

*Episode 103 the broadcast- Breaking News:  Do airport checkpoint whole body scanners have logging and auditing to enforce security and privacy policies?  We’re not sure after talking with a representative of one of the companies that makes the machines.  Seems the TSA may not have included an audit function in its specifications.   And, our guest tells us what happened to the “puffer machine” that would have detected the underwear bomber’s chemical payload on Christmas Day.

We also talked with an attorney from EPIC, the organization that sought and won the TSA specification documents revealing that body scanning machines are indeed capable of retaining and transmitting the naked images of the passengers they scan. This is NOT what TSA told the American public.

*Episode 102 (the su root interiews… requires above-average technology background). Click fraud is running rampant… ripping off internet advertisers. A new, more serious attack that not only steals credit for click-through purchases, but hijack’s the end user’s computer. This is a must-listen for marketing, security, and legal personnel. Discussion on the live show, with the full interview online.

*Episode 102 (the su root interviews…requires above-average technology background.) A new user credential – your cell phone calls you for a voice print… and then lets you into your email, bank account, authorizes credit card purchases or VPN remote access. Great idea? We have an exclusive audio interview with the co-founder of the company.

–> Listen This Week’s Show through our Main Site

Show Notes for Episode 103 of the CyberJungle

*ZeroDay Flaw in some versions of Microsoft Internet Explorer (MSIE) web browser.  Microsoft’s TechNet site has posted detailed information about the flaw. If you have not checked your MSIE browser version, do it now. Launch MSIE, find the Help Icon (usually the far right menu/icon, depending on the version of MSIE you are running), and select About Internet Explorer. If you are not running MSIE verson 8, you need to update your browser. Read more here. Update your browser to MSIE 8 here.

* People around the world are searching the web for the latest updates on Haiti earthquake. Members of the Dark Web use major events like this to spread their malicious code. Read more on this attack at the WebSense Security site. Ira mentioned the Google Trends site, a site that tracks hot topics on The Web.

* Samantha had a conversation with Ginger McCall, Esq., with the Electronic Privacy Information Center (EPIC). They talked  about the DHS airport body scanners, and a Freedom of Information lawsuit by EPIC. Read more at this EPIC-sponsored site.

* Samantha and Ira had a conversation Brook Miller, VP with Smiths Detection, the makers of “the puffer” machine, and the whole body scanners.

* Samantha had a conversation with Dr. Kerry Kerry Nemovicher, Ph.D. about “The Human Firewall” event by  InfraGard. This event takes place on Thursday, Jan 21st at Boomtown Casino, in Reno Nevada. This lunch event runs from 11.15am to 1.15pm. $15 donation when you reserve your ticket by Monday at 9:00am, $20 at the door.

Show Notes for Episode 102 of The CyberJungle, an ‘su root’ program, in-depth technical interviews and analysis

*Ira has a conversation with Dr. Ben Edelman, from the Harvard Business School, about a new type of online advertising “click fraud” that takes over customer’s computers. Read more on Dr. Edelman’s site. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

* Ira has a conversation with Steven Dispensa, CTO and co-founder of PhoneTrust, about voice print authentication. On the main site you can listen to the full, detailed, and technical conversation. Look for the “su root” podcast (Episode 102) on the main site, www.TheCyberJungle.com.

Data Security Podcast Episode 88, Jan 04 2010

Posted in Annoucements, Breach, darkweb, Legislation, Podcast, The CyberJungle with tags , , , , , , , on January 3, 2010 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Bad guys buying services to evade anti-virus

* Special announcement

* Our take on this week’s news

–> Stream This Week’s Show with our Built-In Flash Player (for higher security, stream through FeedBurner, using the hyperlink below):

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 88 – Use Feedburner to listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall. The shows don’t always display on chronological order on Odeo.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Award-winning Sunbelt Network Security Inspector a scalable and effective vulnerability scanner. Windows IT Pro Magazine readers chose SNSI as their Favorite Vulnerability Scanner for two years in a row. Read more here, and contact Data Clone Labs for a test drive .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 88 of the Data Security Podcast

* Tales From The Dark Web: Bad guys buying services evade anti-virus. Brian Krebs (formerly with The Washington Post) does his usual outstanding work on the topic, from his brand new blog. Read more here.

* From Our Take on The News: Body scanning machines; here’s a story from the UK that dismisses their effectiveness in cases where a guy stuffs a chemical explosive in his underwear. (But they are very effective at revealing the other junk in your underwear.) Read more here.

Meanwhile, Logan International in Boston and the Newark Liberty Airport in New Jersey will both get the body imaging machines. (Both were points of origin for the September 11 attacks.) Read more here from The Star Ledger. And read more here from Boston Globe.

* From Our Take on The News: TSA nominee misled Congress about accessing confidential records. Read more here from The Washington Post.

* From Our Take on The News:  How embarrassing! The Chairman of the FCC sends a facebook spam. Read more here from The New York Times blog.

* Special Announcement:  The Data Security Podcast will go LIVE this week as the nation’s first  call-in talk show on security, privacy and the law. You can listen on a web stream or terrestrial radio every Saturday, starting this Saturday, Jan 9th from 10 a. m. until noon Pacific Time.  Be sure to tune into the web stream of KKOH-780am, here is a link to their site, click on the’ Listen Live’ link on the upper right hand corner.

We are changing the name of the show to The CyberJungle. We will keep this site active, and we will keep the current iTunes site active for a while, as we transition to the new name and site.   We will  continue to post our interviews with security experts. The material that’s too technical for the radio will be posted here.

We want to thank all of you for  the support and feedback for the last 18 months. We are grateful that you chose to spend your time with us. Our sponsors have also been very good to us. If you enjoy the show, please try their products, and please let the know you heard about them from us.

A big thanks also to the management of KOH Radio. They “get it,” and we salute them for understanding that the time is right for this show.

KOH Call-In for The New Show

Follow

Get every new post delivered to your Inbox.

Join 1,138 other followers