Archive for XSS

Data Security Podcast Episode 75, Oct 25 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Legislation, Podcast, Report Security Flaws, Vulnerabilities, web server security with tags , , , , , , , , , , on October 25, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Everyone loves retail gift cards…they are quick and easy for consumers, and for web application “hackers.”

* Some Time Warner cable internet users are vulnerable to serious attacks — when will Time Warner release a fix?

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 75 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 75 of the Data Security Podcast

Time Warner-supplied SMC cable modem: open for exploit?

Time Warner-supplied SMC cable modems: Open for Exploit?

* Conversation:  Ira talks with David Chen of Pip.io with an update on the critical vulnerabilities he discovered in a batch of Time Warner cable modems (made by SMC). TW now acknowledges the flaw, and they have made statements elsewhere that a fix is being deployed. David Chen tells us that as of this past weekend the vulnerabilities remain.  Both David Chen and The Data Security Podcast have attempted to get an update on a fix. Time Warner cable has not replied to written requests from David Chen, or from this program.  David Chen is blogging with recommendation on how he thinks Time Warner Cable could mitigate these flaws… see his latest blog here.

* Tales From The Dark Web: Retail gift cards are potentially vulnerable to attacks. One that jumps out: web application attacks. Read the entire report by Corsaire.

* From Our Take on The News: Jurors are using smartphone from the jury box and the deliberation room – potentially putting trial outcomes into jeopardy.

* From Our Take on The News: Treasury Strategies Sees Possible Bank Failures Due to Fraud Losses

* The Kicker: Long Island Teen Uses Hidden Video to Catch a Thief

Modern Bank Robbers Could Shutter As Many As 10 Financial Institutions

BREAKING NEWS – New Twist to Zeus Bank Trojan; Well-Known Penetration Tester at ISACA Conference Calls Revelation “Disastrous”

Posted in Annoucements, Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Vulnerabilities, web server security with tags , , , , on September 30, 2009 by datasecurityblog

Reporting from the ISACA Security and Risk Management Conference in Las Vegas, we have breaking security news this morning.

Organized cyber criminals have added a new damaging element to an already viscous cyber attack. Yuval Ben-Itzhak, CTO of Finjan spoke by phone with the Data Security Podcast about a frightening new twist to the surge of bank account stealing Trojan attacks.

First some background: This news program, and other media outlets, have been reporting in the last few months about a wave of bank account Trojans that have been stealing money from small and medium sized businesses, and local governments. Theses well organized cyber criminals have been combining web drive-by attacks, with unauthorized electronic funds transfers. The cyber criminals then use innocent money mules to launder the money. The mules are typically lured into popular “make cash at home” schemes.

A construction company in Maine lost $588,000 from a recent attack, and they are now suing their bank. It’s important to note that while consumers generally have 60 days to “unwind” an unauthorized electronic funds transfer, businesses accounts are only protected if the bank is alerted within 48 hours of an unauthorized transfer. On The Data Security Podcast earlier this week, we interviewed the lawyer representing the construction company that suffered the $588,000 loss, see link below.

The Data Security Podcast can now report a dangerous new element to these attacks. Ben-Izthak tells the Data Security Podcast that Finjin security researchers have seen the cyber criminals actually alter the “account view” online screens that a victim sees. Of course the altered screen views do not show suspicious transactions. This means that a business will probably lose the chance to catch unauthorized transactions within the 48 hour window.

Here’s the process – The business uses a computer(s) to do online business banking, and uses that same computer to do web activities, email, and other standard business internet tasks. The attackers use those normal internet activities to plant a version of Zeus banking Trojan onto the business computer systems. These attacks are designed to by-pass most firewalls and many popular anti-virus programs.

The Trojan captures log-in info, challenge question/answers, and account numbers, right from the business computer systems…all the info the criminals need to conduct unauthorized electronic funds transfers.

Here’s the new twist: The attackers are now altering the web screens that display business account information. The bank’s computers are not altered, but rather the business customer’s view of their own accounts, as seen from their own computers. This is known in security-speak as an integrity attack: when authorized persons are unable to trust the accuracy of their own information

Ira Victor, Co-Host of The Data Security Podcast, is covering the ISACA Las Vegas Conference and had an exclusive sit-down interview with well-known data security researcher and penetration testing expert ‘Famous Peter Woods’ (as he is known), about this new attack.  Peter Woods is the COO of First Base, a security company in the UK.  Mr. Woods is also a keynote speaker at the conference.

Peter Woods characterized this new variation of the Zeus bank Trojan “as a disaster.”  Mr. Woods recommended that business engage is a serious round of new user awareness training. When we asked Mr. Woods about technical counter-measures the banks could undertake, he questioned the willingness of many banks to invest in counter-measures that would truly be effective against these types of attacks. He thought that many banks would be more likely to add new legal disclosures in an attempt to indemnify themselves from financial loss.

Indeed, some banks are now putting new warnings on their web sites that encourage customers to “update anti-virus” and to “update system-patches.” Other speakers at the ISACA conference in Las Vegas generally agree that while that those measures are good for stopping certain attacks, they are mostly insufficient to thwart these newer types of attacks.

In Data Security Podcast Episode 71, Samantha Stone has an eye-opening interview with the attorney of the Maine construction company that lost $588,000 in a cyber attack, and is suing their bank. The cause of action? The plaintiff claims the bank breached it fiduciary duty when it failed to protect against the loss of the $588,000.  We suspect that a variant of  the Zeus banking Trojan attack was used to steal the money.

Be sure to listen to subscribe to our RSS feed and listen Data Security Podcast Episode 72. When that show posts, it will include our interview with Yuval Ben-Yitzhak of Finjan. Here is the link to the Finjan Report on the new Zeus bank Trojan.

Data Security Podcast Episode 70, Sep 21 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , on September 20, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* Full access to anyone’s Facebook account for $100?

* Update on confidential data case in Maricopa County, AZ

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 70 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 70 of the Data Security Podcast

* Tales From The Dark Web:  According to a PandaLabs report, for $100, members of the Dark Web will provide you with the password on any Facebook user.  What else are they doing with the data?

$100 for a Facebook Users Password?

$100 for a Facebook User's Password?

* From the News:  The SANS Institute releases The Top Cyber Security Risks report.  It’s a must read .

* From the News: An Ohio children’s hospital experienced a data breach when man tried to spy on ex-girlfriend using malware. Excellent coverage by Robert McMillan of IDG News Service.

*  From the News:   According to a new study: eCommerce Merchants “…Can Convert 11% More Digital Window Shoppers by Adding Security Trustmarks”

Data Security Podcast Episode 65 – Aug 9 2009

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, eMail Security, Exclusive, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 9, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* More DefCon17 Coverage: How safe are Cloud Computing applications?

* Melissa Hathaway is leaving her White House job as top cyber security official, why is the main stream press not spending time on this story?

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 65 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Tales From The Dark Web: Ira and Samantha talk with the team from Sensepost about Cloud Computing Security

*From the News: The site we mention that was able to successfully repel the attacks last week against Twitter/Facebook/LiveJournal: Fotik

* From the News:  A 20 year old man attacks the communication system of the Chicago Transit Authority, and the Chicago Loop.  And here’s the announcement about the federal homeland security grant to CTA for bomb-sniffing dogs and other physical security measures.  Wow… think transportation officials might have their eye on the wrong ball?

Chicago Loop

The Chicago Loop

Data Security Podcast Episode 64 – Aug 4 2009

Posted in Breach, Conference Coverage, darkweb, eMail Security, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 4, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

SPECIAL DEFCON17 Coverage From Las Vegas

* Is YOUR tax return sitting out there on the Internet? Maybe not yours, but Larry Pesce tells us about the tax returns — and the other stuff he found without much effort.

* Breaching the new “personal WiFi” hot spots, is it child’s play? We’ll find out…. On a special Tales From The Dark Web segment … with David Maynor from Errata Security.

* Our take on the DefCon news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 64 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Conversation: Ira talks with Larry Pesce, of PaulDotCom, about the downright scary information he easily found while sifting through a file sharing network.

* Tales From The Dark Web:  Ira talks with David Maynor of Errata Security about the security threats associated with personal WiFi devices.  The photo below is of David:

David Mayner with personal WiFi devices

David Maynor holding the Clear personal WiFi device (left) and the Verizon/MiFi personal Wifi device (right)

* From the News:  SSL Certificates Trust attack;  Mike Sussman from Intrepidusgroup.com.

*From the News: Cross Site Request Forgery attacks; Mike Bailey’s from skeptikal.org.

*From the News:  Justin Samuel from the RequestPolicy.com Firefox plug-in team.

*From the News: Tony Flick from Fyrmassociates.com on the electric smart grid security threats.

* Wrap: DIFRWear.com RFID protection products

Michael Aiello, CEO of DIFRWear RFID Protection

Michael Aiello, CEO of DIFRWear RFID Protection

* Wrap: BumpMyLock.com, locks, lock penetration testing supplies, and how to bump open a lock:

BumpMyLock Booth at DefCon17

BumpMyLock Booth at DefCon17

PLUS:

In the Lockpicking Village, Selestius tries to pick her way out of a set of handcuffs. Although the photo is blurry, there is a very slim, long, lockpick in Selestius’ right hand:

Lockpicking handcuffs

Lockpicking handcuffs

Hacking Session Floor Space

Some sessions got so crowded, there was no where to sit.  Sometimes the side isle standing room would fill up.  Due to fire rules, sitting on the floor of the center isle was a hazard.  Faced with not getting to see a hot session, Thomas from LA thought of an original floor hack: He bought a small, $10 folding camping chair. He pulled it next to a hotel chair,  and got a  seat in the center isle of every crowded session! Thomas tells the Data Security Podcast that the “Goons” (DefCon staff) appreciated his innovative approach to crowded sessions.

http://security.talkworkshop.com/images/floor_hacking.jpg

Hacking Floor Space

Data Security Podcast Episode 62 – July 21 2009

Posted in Breach, darkweb, ediscovery, eMail Security, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , on July 20, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* EXCLUSIVE: New tool to fight web attacks, and add to your privacy

* Combining data loss prevention and identity management to protect confidential business data from security breaches.

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 33 minutes.

–> Stream, subscribe or download Episode 62 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 62 of the Data Security Podcast

* Conversation: Ira talks with Tarique Mustafa, CEO and founder of data loss prevention firm, nexTier.

* Tales From The Dark Web Exclusive:  A new browser tool that blocks browser trackers, annoying pop-unders, AND some malicious web banner adverts. It’s Ghostery version 2, and  it goes live this week.  Be sure to get version 2, as version one is only logging, not blocking!

* From the News: Beaver County school district hit by cyber fraud.

* From the News:  Erin Andrews peephole video leads to malware. Read more about this attack on Graham Clueley’s Blog.

* From The News: Details on the vulnerability in Firefox 3.5.

* Correction From The News:  When Ira spoke about two factor authentication he meant to say that a password is something that you know. He apologizes for the mistake.

Data Security Podcast Episode 58 – June 22 2009

Posted in Breach, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , on June 22, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • The vast majority of malware infected web sites are legitimate sites that have been secretly hijacked. How would you know if your site was on that list?
  • Your GPS can now tell you where red light cameras, photo radar and DUI checkpoints are. Some local governments aren’t happy about this…we’ll talk to the CEO of the firm providing the data.
  • Plus,  Apple’s PR department calls us back, find out where information security was in their priority list.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)

This week’s show is 26.5 minutes long

–> Stream, subscribe or download Episode 58 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 58 of the Data Security Podcast

  • Ira has a conversation with Joe Scott the CEO and Founder of PhantomAlert.com.  This services allows you to use your GPS, and the power of social networks to get early warnings of the locations of photo radar,  red light cameras, DUI checkpoints, and more.
  • From The News: Apple calls us back. They don’t want to talk about security, tune in to find out what they wanted to talk about.
  • From The News:  Due to some traveling, we will not have our take on this week’s news. Our analysis segment will return next week.
  • Wrap: New regulations proposed on GPS use in a moving vehicle.
<!–[if gte mso 9]> Normal 0 false false false MicrosoftInternetExplorer4 <![endif]–><!–[if gte mso 9]> <![endif]–> <!–[endif]–>

 

Follow

Get every new post delivered to your Inbox.

Join 1,138 other followers