Episode 273 of The CyberJungle is about 30 minutes long. You can hear it by clicking on the flash player below. The interview with Rafel Los Security Evangelist with HP, begins at about the 17min mark. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.
Episode 239 of The CyberJungle is about 30 minutes long. You can hear it by clicking on the flash player below. The interview with Dr. Karen Paullet on being a cyber expert witness begins at about 13min. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.
Episode 161 is the this week’s full episode of The CyberJungle, posted immediately below. Episode 160 is the su root edition for advanced listeners – material that’s too technical for the radio. The advanced material consists of three conversations from DefCon 18. Scroll down to the end of this batch of shownotes to find it.
This week’s regular episode of The Cyberjungle is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 161 via the flash player:
Security Researcher Craig Hefner offers an alarming discovery about the consumer grade routers you buy at the big box store. He’s found major flaws in these router/firewalls. This interview is about 8 minutes long, and it begins at 59 minutes into Episode 161. Or you can just listen to the interview by going to our conference notes page. Also, here are some links to more information about Craig’s work:
Our dramatic audio taken at a DefCon 18 press conference, in which the host of the press conference begins (quite out of the blue) to describe his personal relationship with Adrian Lamo, one of the central characters in the Wikileaks incident. We posted this story, and six minutes of audio featuring cybersecurity researcher and self-described white-hat hacker Chet Uber on the last day of DefCon. In it, Uber discusses how he persuaded Lamo to turn in accused leaker Pfc Bradley Manning. There is a disputed fact in Uber’s account. Uber said he helped Lamo determine that documents in his possession were classified. Lamo now denies that he ever had possession of top secret documents. The facts will come out at Bradley Manning’s trial. No matter who is correct, the sound file offers some interesting insight into how a high-level meeting with federal law enforcement is arranged, and what top secret documents look like. The file is at the bottom of this story, if you want to hear it.
Our Take on This Week’s News:
The National Science Foundation has a porn problem according to Senator Chuck Grassley. Seems the science guys are passing around porn despite technical measures taken by the agency to block it. Oh, and there’s one guy who reportedly spends 20 percent of his time looking at porn, at an estimated cost to the taxpayer of $58,000. So do the math. This guy makes $290k per year??? WTF!!!
BlackBerry Ban – RIM Coming To Agreement With Middle-Eastern and Asian Nations on Eavesdropping. The question that we are still researching: What about a foreigner that uses BES in one of the nations? Is the traffic routed to one of these local RIM servers, or back to Canada?
Salute to the Wall Street Journal for its series this week on web tracking, cell tracking and other privacy issues.
We stumbled over the Social Engineering contest at DefCon18. A super fun event to watch, as contestants placed phone calls to major U.S. corporations, and charmed employees into revealing a wide range of information about company operations — everything from the name of the dumpster service to the details of the IT architecture. (We posted a story about it here, describing a call to Apple that yielded a whole lotta info. Boy, Steve’s gonna be mad. There’s also an audio file with a three-minute explanation of the contest by its organizers, an group called Social-Engineer. The audio file is located about half-way through the story.) Read about the Social Engineering organization here.
The annual session on physical lock security is always a hit. (This year there was more than one.) We attended the presentation by Marc Weber Tobias. His team demonstrated flaws in five different locks, from the plain-vanilla pin tumbler lock on your back door, to the $200 fingerprint biometric, the electronic RFID military lock and even a personal safe. You can see the videos here, demonstrating how the locks were breached.
Speaking of physical security — a state agency head in California sent an email message to 175 employees announcing that the lock at the south end of their office building was malfunctioning, and there was no budget to fix it. This column in the Sacramento Bee offers an unintentionally comical account of the way this broken lock was broadly communicated to the world when one of the employees faxed a copy of the email to a state worker newsletter. The info apparently ended up — we’re not sure how — on the desk of the SacBee reporter who wrote the column. The major point of the story is that California has no money, and even getting approval to fix a broken lock on a state building in a bad neighborhood is a tough uphill climb. But the funny part is how nobody ever stopped to consider that inside this building, where unemployment benefit checks are written, there is a whopping amount of personal information about the citizens of the State Formerly Known as Golden. Wow… If we were bad guys we’d probably keep an eye on this place even after the lock is fixed, because it might be a really easy target.
If we don’t laugh, we’ll probably cry. For laughs – a national association of perverts has offered an endorsement of body scanning machines in airports. Now read this and weep – The feds love these machines so much that they’ve decided to deploy them at federal courthouses as well as airports. Where next, the public library? And yes, they do store images, the feds now admit, after repeated denials that the machines had such capabilities. Duh. Did we think they would perform a visual inspection for contraband, and then fail to store the image for evidence during prosecution?
Episode 160 – su root edition:
This is our unedited edition, featuring three interviews straight from DefCon 18. The audio file is 34 minutes long. This is a special DefCon18 edition featuring interviews with David Bryan on building a network to withstand thousands of hackers, and using low-cost equipment and volunteers. He has lessons for anyone building a network today. Then we have an interview with Chris Drake of Firehost web hosting on web application security. Finally the third interview is with Suhil Ahmed of Airwave Security about his discovery of a flaw in the WPA WiFi security protocol that can reveal confidential information, and has no patch. But, there is a workaround.
You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to su root edition (episode 160) via the flash player:
Episode 147 is the this week’s full episode of The CyberJungle. Episode 146 is the su root edition for advanced listeners – too technical for the radio.
This week’s show is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.
To listen to Episode 147 via the flash player:
David Perry, Global Director of Education for TrendMicro. David just flew back from the international Anti-Phishing Working Group Conference in Sao Palo Brazil. David became really animated when I asked him about details regarding a huge cybercrime armies in China. David recommends the Counter-Measures Blog by TrendMicro. This conversation is about 9 minutes long, and starts about 21 minutes into the show. For the full 36-minute interview, which was too long and technical to air on the radio, scroll down to Episode 146.
ALSO – Security Software entrepreneur Phil Lieberman President of Lieberman Software, who has been serving as an adviser to members of the U.S, Senate on the cybersecurity bill…. sweeping new legislation that could impact every department in the Federal Government, and data security at the Ssate level. That interview begins about 58 minutes into the show.
Tales from the Dark Web:
A 21-year-old cybercriminal parlayed his talent into a Porsche, expensive watches and £30,000 in gold bullion. He’s been arrested.
Our Take on This Week’s News:
The rush to deploy smart meters: Federal stimulus money can get you high, and it makes decision-makers really stupid. The smart meters are among several advanced systems being deployed before they’re really ready, in terms of their vulnerability to cybercrime. BTW — Kudos to cnet’s Elinor Mills who wrote the article above. Well researched and thorough.
And if you like reporting to big brother about your driving habits, maybe you should move to the UK, where the cops have stored 7.6 billion images of cars moving through the streets. HMP Britain is an interesting blog that’s posted the response to its FOIA request about the use of the data taken from CCTV – a surveillance method ubiquitous in Britain. HMP stands for “Her Majesty’s Prison” and it’s a prefix in the name of the slammer in every jurisdiction. HMP Nottingham, etc…. The name of the website suggests the entire nation is a prison, according to its proprietor.
Goatse Security published a serious security flaw in Safari browser that impacts on the iPhone/iPad back in March. Apple has still not patched that flaw, and the code is available on the internet for any attacker to see.
The Disgruntled Employee Chronicles, Chapter 359: How many times does this story have to play out before managers begin to realize that when you fire someone, you have to terminate their user name and password. This former employee was creating havoc inside the hospital’s network after he no longer worked there.
At last! A data breach story with a happy ending! Department of the Interior lost a CD containing personal data for 7500 federal employees… but wait a minute…. The data was encrypted and password protected. And the department reviewed its procedures to make sure it doesn’t happen again. And they disclosed the loss of the disk within 10 days. And then pigs started flying out the windows of the Department of the Interior building. (Just kidding. We salute the Department of the Interior. If only other federal agencies would implement and follow best practices.)
The good folks at EFF offer yet another great privacy and security idea! HTTPS everywhere. It’s a Firefox plug-in that encrypts popular search engine and social media sites. Also allows you to customize sites you visit frequently. Check it out.
Everything Old is New Again. The USB typewriter, for instance. Cute, but can you imagine hauling it onto an airplane?
Episode 146- su root Edition:
This is our unedited interview wth David Perry, Global Director of Education for TrendMicro. We had a long conversation about iPhone security, web application security, and malware attacks. ALSO — David discusses an army of 300,000 Chinese cybercriminals. The interview is 36 minutes long. Click on the flash player below, or go to our listening options page and browse for other was to hear the show.
We talk with Gary Biller, Executive Director of the National Motorists Association, about an Ohio Supreme Court decision that says law enforcement officers do not need to back up their vehicle speed estimate with reports from a radar reading; eyeballing it is good enough. The Ohio press reports. The interview starts about 20 minutes into Episode 143.
Federal Trade Commission settles with CyberSpy Software, LLC. Settlement requires the company to stop instructing its customers how to send its keylogging product in a stealth email attachment. Also must notify the receiving computer that the software is about to download, and receive consent. This will put a chill on the spying.
Our Tether contest – win wireless access for your BlackBerry
Thanks to Tether for providing a generous number of full-value licenses to award as prizes for listeners of The CyberJungle. We love the product, and have given away 10 licenses each in episodes 141 and 143. You can still enter by sending an email to firstname.lastname@example.org, and telling us which version of the BlackBerry software you’re running. (Find this by going to “settings ->options->about” on your BB.) We award the prize to the first ten requests of the week. Our week runs Saturday-through-Friday. If you win, we ask that you send an acknowledgment once you’ve received your key, so we know you got it. Then we will delete your email, as a gesture of respect for your privacy.
BTW — there is a :60 second Tether commercial in these shows. We are running them as a thank-you to Tether for the software keys. We want to acknowledge the people who created some of the components in the spot. The Free Sound Project is an awesome organization for people like us, whose ears are bigger than our budgets when it comes to production. The audio effects in the Tether spot cam from the site, and we thank the creative producers who post their work. Especially — someone with the handle kkz who created a file called “t-weak bass” … someone with the handle dland who created a file called “to hell with vinyl”… and someone with the handle Halleck, who created “crash reverse.” All can be heard in the Tether spot, which airs at approximately 29:50 in episode 143.
Interviews, Episode 125: Big Batches of Patches! Following huge releases on Patch Tuesday from Microsoft, Apple, Sun/Java, Mozilla Firefox, and Mozilla Thunderbird, we talk with patch management expert Jason Miller. He’s Data and Security Team Manager from Shavlik Technologies. Jason’s interview starts about 22 minutes into the program.
CNN presents a glowing story about the success of airport whole body scanners, which have found drugs and other junk in people’s pockets. The TSA plans to roll out 1000 more of the machines. Meanwhile, the Electronic Privacy Information Center posted this doc, in which the TSA contradicts itself to congress regarding the ability of the machines to store and transmit images. See item # 8, where they claim that the airport scanning machines are not capable of transmitting images, BUT, the images they transmit to remote viewing facilities are encrypted.
A new web service allows businesses to monitor the social networking communications of their employees. Facebook and Twitter users, you should probably just assume that what you post publicly is being monitored by your employer. Employers, you should probably assume that your employees post a lot of stuff that shouldn’t be shared.
Quip app security hole shares private photos. People who used a free service to send naked photos of themselves were exposed. Hey wait a minute… doesn’t the Apple app store performed extensive reviews before they accept a product?
iPad is coming to the office, and we found some security applications for it. iTeleport: Jaadu VNC is encrypted remote access allows a secure connection between the iPad and a desktop comupter. ALSO — in PC World, Tom Bradly Reports another option from Array Networks: “One app that is not yet available, but has significant promise for leveraging the iPad to connect with Microsoft Windows systems is Array Networks Desktop Direct.
Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts.
Cleveland Plain Dealer exposes identity of community leader who posts anonymous comments. Starts debate about privacy versus the public’s right to know. We wonder why just anyone at the newspaper can look at the email registry.
–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.
Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:
Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
SonicWall; Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine. Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.
Show Notes for Episode 64 of the Data Security Podcast
* Conversation: Ira talks with Larry Pesce, of PaulDotCom, about the downright scary information he easily found while sifting through a file sharing network.
* Tales From The Dark Web: Ira talks with David Maynor of Errata Security about the security threats associated with personal WiFi devices. The photo below is of David:
David Maynor holding the Clear personal WiFi device (left) and the Verizon/MiFi personal Wifi device (right)
*From the News: Tony Flick from Fyrmassociates.com on the electric smart grid security threats.
* Wrap: DIFRWear.com RFID protection products
Michael Aiello, CEO of DIFRWear RFID Protection
* Wrap: BumpMyLock.com, locks, lock penetration testing supplies, and how to bump open a lock:
BumpMyLock Booth at DefCon17
In the Lockpicking Village, Selestius tries to pick her way out of a set of handcuffs. Although the photo is blurry, there is a very slim, long, lockpick in Selestius’ right hand:
Hacking Session Floor Space
Some sessions got so crowded, there was no where to sit. Sometimes the side isle standing room would fill up. Due to fire rules, sitting on the floor of the center isle was a hazard. Faced with not getting to see a hot session, Thomas from LA thought of an original floor hack: He bought a small, $10 folding camping chair. He pulled it next to a hotel chair, and got a seat in the center isle of every crowded session! Thomas tells the Data Security Podcast that the “Goons” (DefCon staff) appreciated his innovative approach to crowded sessions.
This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
The Show Notes Page for Episode 50 of The Data Security Podcast
-From The News: Your tax dollars at work… paying a non-PCS compliant company to process your tax dollars. Here’s a copy of Uncle Sam’s contract with RBS Worldpay, which announced a major data breach in December, and which Visa has declared to be non-compliant.
-Conversation: Ira speaks with Ben Pilani of Zer01mobile.com. They are going to offer smartphone software that includes: Encryption, VoIP, unlimted voice and data. Ira and Ben talk about security protocals used (SSL), and issues related to using Real Time Protocol (RTP) over the slow GSM cellular networks.
-Also from The News: Seagate recalls hard drive firmware. Read more on the Seagate site, and where to email them and request a patch. More about the related class action lawsuit regarding these failures, from the law firm of Kabatek, Brown and Kellner LLP.
- Tales From The Dark Web: Elcomsoft Wireless Security Auditor can be used to audit and crack WPA WiFi encryption using off-the-shelf video cards. WARNING: Do not use ANY audit or cracking tool to access a network without the authorization, in writing, of the owner of that network. Then, just before you run the tool, have the owner give you approval a second time. Or, if you are not prepared to get approval do use this tool on someone else’s network, buy your own WPA Wi-Fi access point, and hook it up to your own network to test this tool. There might be a good deal at Circuit City for a cheap testing-only access points. Remember, the cheap, consumer access points usually don’t have the ability to turn off wireless administration, so it’s not smart to use them in production or live environments.
- Will the Conficker worm be “the worst worm ever?” Some members of mainstream media seem to think so. Randy Abrams from ESET (the maker’s of NOD32 anti-virus), thinks that Conficker will not be the worst worm ever, and we talk about strategies to counter this attack, and other more serious attacks. The mainstream media is focused on Conficker, while the members of the Dark Web could be attacking you where you might not expect. Read Randy’s related blog posting, Confused about Conficker?