Archive for XSS

Data Security Podcast Episode 65 – Aug 9 2009

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, eMail Security, Exclusive, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 9, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* More DefCon17 Coverage: How safe are Cloud Computing applications?

* Melissa Hathaway is leaving her White House job as top cyber security official, why is the main stream press not spending time on this story?

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:


This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 65 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Tales From The Dark Web: Ira and Samantha talk with the team from Sensepost about Cloud Computing Security

*From the News: The site we mention that was able to successfully repel the attacks last week against Twitter/Facebook/LiveJournal: Fotik

* From the News:  A 20 year old man attacks the communication system of the Chicago Transit Authority, and the Chicago Loop.  And here’s the announcement about the federal homeland security grant to CTA for bomb-sniffing dogs and other physical security measures.  Wow… think transportation officials might have their eye on the wrong ball?

Chicago Loop

The Chicago Loop

Data Security Podcast Episode 64 – Aug 4 2009

Posted in Breach, Conference Coverage, darkweb, eMail Security, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on August 4, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

SPECIAL DEFCON17 Coverage From Las Vegas

* Is YOUR tax return sitting out there on the Internet? Maybe not yours, but Larry Pesce tells us about the tax returns — and the other stuff he found without much effort.

* Breaching the new “personal WiFi” hot spots, is it child’s play? We’ll find out…. On a special Tales From The Dark Web segment … with David Maynor from Errata Security.

* Our take on the DefCon news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:


This week’s show is 34 minutes.

–> Stream, subscribe or download Episode 64 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 64 of the Data Security Podcast

* Conversation: Ira talks with Larry Pesce, of PaulDotCom, about the downright scary information he easily found while sifting through a file sharing network.

* Tales From The Dark Web:  Ira talks with David Maynor of Errata Security about the security threats associated with personal WiFi devices.  The photo below is of David:

David Mayner with personal WiFi devices

David Maynor holding the Clear personal WiFi device (left) and the Verizon/MiFi personal Wifi device (right)

* From the News:  SSL Certificates Trust attack;  Mike Sussman from Intrepidusgroup.com.

*From the News: Cross Site Request Forgery attacks; Mike Bailey’s from skeptikal.org.

*From the News:  Justin Samuel from the RequestPolicy.com Firefox plug-in team.

*From the News: Tony Flick from Fyrmassociates.com on the electric smart grid security threats.

* Wrap: DIFRWear.com RFID protection products

Michael Aiello, CEO of DIFRWear RFID Protection

Michael Aiello, CEO of DIFRWear RFID Protection

* Wrap: BumpMyLock.com, locks, lock penetration testing supplies, and how to bump open a lock:

BumpMyLock Booth at DefCon17

BumpMyLock Booth at DefCon17

PLUS:

In the Lockpicking Village, Selestius tries to pick her way out of a set of handcuffs. Although the photo is blurry, there is a very slim, long, lockpick in Selestius’ right hand:

Lockpicking handcuffs

Lockpicking handcuffs

Hacking Session Floor Space

Some sessions got so crowded, there was no where to sit.  Sometimes the side isle standing room would fill up.  Due to fire rules, sitting on the floor of the center isle was a hazard.  Faced with not getting to see a hot session, Thomas from LA thought of an original floor hack: He bought a small, $10 folding camping chair. He pulled it next to a hotel chair,  and got a  seat in the center isle of every crowded session! Thomas tells the Data Security Podcast that the “Goons” (DefCon staff) appreciated his innovative approach to crowded sessions.

http://security.talkworkshop.com/images/floor_hacking.jpg

Hacking Floor Space

Data Security Podcast Episode 62 – July 21 2009

Posted in Breach, darkweb, ediscovery, eMail Security, Exclusive, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , on July 20, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law….(plus or minus five)

On this week’s program:

* EXCLUSIVE: New tool to fight web attacks, and add to your privacy

* Combining data loss prevention and identity management to protect confidential business data from security breaches.

* Our take on this week’s news.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:


This week’s show is 33 minutes.

–> Stream, subscribe or download Episode 62 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 62 of the Data Security Podcast

* Conversation: Ira talks with Tarique Mustafa, CEO and founder of data loss prevention firm, nexTier.

* Tales From The Dark Web Exclusive:  A new browser tool that blocks browser trackers, annoying pop-unders, AND some malicious web banner adverts. It’s Ghostery version 2, and  it goes live this week.  Be sure to get version 2, as version one is only logging, not blocking!

* From the News: Beaver County school district hit by cyber fraud.

* From the News:  Erin Andrews peephole video leads to malware. Read more about this attack on Graham Clueley’s Blog.

* From The News: Details on the vulnerability in Firefox 3.5.

* Correction From The News:  When Ira spoke about two factor authentication he meant to say that a password is something that you know. He apologizes for the mistake.

Data Security Podcast Episode 58 – June 22 2009

Posted in Breach, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , on June 22, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • The vast majority of malware infected web sites are legitimate sites that have been secretly hijacked. How would you know if your site was on that list?
  • Your GPS can now tell you where red light cameras, photo radar and DUI checkpoints are. Some local governments aren’t happy about this…we’ll talk to the CEO of the firm providing the data.
  • Plus,  Apple’s PR department calls us back, find out where information security was in their priority list.
  • More details and links in the show notes section below the audio listening instructions.

–>NEW! Stream This Week’s Show with our Built-In Flash Player: (or scroll down to try the Odeo link for a very firewall friendly player)


This week’s show is 26.5 minutes long

–> Stream, subscribe or download Episode 58 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 58 of the Data Security Podcast

  • Ira has a conversation with Joe Scott the CEO and Founder of PhantomAlert.com.  This services allows you to use your GPS, and the power of social networks to get early warnings of the locations of photo radar,  red light cameras, DUI checkpoints, and more.
  • From The News: Apple calls us back. They don’t want to talk about security, tune in to find out what they wanted to talk about.
  • From The News:  Due to some traveling, we will not have our take on this week’s news. Our analysis segment will return next week.
  • Wrap: New regulations proposed on GPS use in a moving vehicle.
<!–[if gte mso 9]> Normal 0 false false false MicrosoftInternetExplorer4 <![endif]–><!–[if gte mso 9]> <![endif]–> <!–[endif]–>

 

Data Security Podcast Episode 56 – June 8 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on June 7, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Twitter users are the target of a new, malicious web re-direct. How will The President’s new cybersecurity plan impact you? One of the nation’s top cryptographers weights in. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Paul Kocher, President and Chief Scientist of Cryptography Research, Inc. about The Obama Administration’s new cybersecurity plans.

–> Tales From The Dark Web: Finjan‘s CTO Yuval Ben-Itzhak talks with us about a new web re-direction attack targeting users of Twitter.

–> From The News: Is there a constitutional right to informational privacy? The Ninth Circuit Court suggests there is by issuing an injunction in favor of contract employees at NASA who objected to invasive background investigations. But then the full Court declined to hear the case. So the question won’t be settled any time soon, but it raises some interesting issues.

Judge Kozinsky’s dissent (we should hear the case)

Judge Wardlaw’s concurrence (we shouldn’t hear the case)

A dissection of the privacy issues by legal blogger Eugene Volokh at the Volokh Conspiracy. Don’t scroll — the link will take you to the top of the blog, and then jump to the correct post.

–> The Wrap:  Autorun Worm Invades ZIP

Autorun Worm Invaded Zip Files

Autorun Worm Invaded Zip Files

StrongWebMail Bounty Attack – Caveat Emptor

Posted in Breach, eMail Security, Exclusive, web server security with tags , , , , , on June 7, 2009 by datasecurityblog

StrongWebMail has received publicity for the $10,000 bounty that the company’s chief executive offered if someone could break into his web mail account.The executive, Darren Berkovitz, posted his StrongWebMail username and password on the company web site.

IDG is reporting that three information security professionals are now claiming that they were able to pwn (“own”) Mr. Berkovitz’s StrongWebMail account. Although their exact method has not been revealed, IDG is reporting that the StrongWebMail site was vulnerable to cross site scripting attacks.

The Data Security Podcast had a conversation with Darren Berkovitz on Friday June 5th.

He was not yet ready to talk about the StrongWebMail bounty attack. But, he agreed to do so in the coming week. That conversation will be posted on June 15th, in Episode 57 of the Data Security Podcast.

He did talk with us on Friday about his service in general, and about the challenges of market adoption of multi-factor authentication.

StrongWebMail’s parent company, Telesign is a provider a phone focused multi-factor authenticaion services. The service allows owners of web sites to validate users with a phone call to end users. That call can contains a validation code, for use on the web site, in addition to a username/password pair. StrongWebMail is, in some ways, a proof of concept that is designed by Telesign to demonstrate the acceptance of multi-factor authentication for the world’s most popular web application: web mail.

According to Mr. Berkovitz, StrongWebMail uses an off-the-shelf web mail application once users get pased validation.

And, that may be the chink in the armour that security researchers used. Rather than attacking the multi-factor element, IDG reports that the researchers created their own StrongWebMail accounts. They then used those accounts to launch attacks that allowed them “hop over” from one user account to another, including, allegedly, hopping over to Mr. Burkovitz’s account.

If they waited for Mr. Berkovitz to log in, and then hopped over to his account, that could be a method to gain access to his account. If this indeed  isthe nature of the bounty attack, then it would re-emphasis the important of securing the code of web appliations.  The best multi-factor systems cannot compensate for weaknesses in a web application.

So, if we are on the right track, then this is not a story about the weaknesses of a two factor authenticaion system. This may simply be another example of the importance of security in web-based, or so-called cloud computing, applications. That even includes web sites that assure customers that “our site is secure,” or even when the site has names, icons, or other technolgies associated with information security in general.

Data Security Podcast Episode 52 – May 11 2009

Posted in Breach, darkweb, Podcast, Vulnerabilities, web server security with tags , , , , on May 11, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Cross Site Forgery Attacks; A different approach to stopping malicious code. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> Stream, subscribe, or download via our page at Podcast.com.

This week’s show is sponsored by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

The Show Notes Page for Episode 52 of The Data Security Podcast

-> Ira has a conversation with Tom Murphy, Senior Strategist with Bit9 about whitelisting approved applications, rather than a signature based approach to blocking.  Bit9 offers white papers on the topic.

-> Tales From The Dark Web: Cross Site Forgery Attacks and other attacks targeting sites using Web2.0 applications are highlighted in this report.

–> Be sure to read a new feature on our web site: Lame Excuses, the dumb statements by people who should have been responsible for securing information.  We welcome your contributions.

-From The News: Report: Web application security and IDS in air traffic control systems.

WHY WE CHOSE NOT TO POST OUR INTERVIEW WITH ALLEGED TWITTER WORM CREATOR

Posted in Breach, criminal forensics, darkweb, Exclusive with tags , , on April 12, 2009 by datasecurityblog

The blogosphere is atweet with news of a DarkWeb attack on Twitter users. We believe we were the first to contact the man who claims to be the creator of the worm. We thought better of using his voice on our podcast, though, when we realized he’s only 17 years old. That makes him too young to consent legally to a globally-distributed interview. He may also be too immature to be a reliable source. The jury’s out on that.

At this point, we’ve decided to sit on the tape, even though the young man’s identity and his claims of responsibility for the Twitter hack have been widely revealed.

The co-host of Data Security Podcast spent quite a few years in a broadcast news room, and it’s her insistence that has prevented us from posting the audio, based on the age of the subject, his assertion that he was drunk when he conducted his exploit, and a healthy dose of journalistic skepticism.

(She reminded me that just last week, The Taliban claimed responsibility for a mass shooting in upstate New York, which turned out not to be the case, according to police. She questioned whether this “kid” is responsible for the Twitter attack just because he says he is, and beyond that, is he a “kid” at all, or is he older than 17? If he is a kid, why are his parents allowing him to stand in the media spotlight when he could be in big legal trouble? By the way, where are his parents? All good questions.)

Indeed, the young man has changed his story since he spoke with me. Last night said he did it to drive traffic to his website. He now claims his attack was calculated to expose a Twitter vulnerability. And as I write this, he’s released a second attack, according to cnet news.

But there’s more to say about this Twitter attack. As everyone knows, the attack took the form of spam invitations to visit Stalkdaily.com, a site the young hacker claims to have created. Stalkdaily.com is a site with features similar to Twitter’s, but allows users to add multimedia to their posts.

In my conversation with the self-proclaimed attacker, I got a description of his methodology, which also been surmised by other analysts. What’s NOT getting much ink is that this man exploited a common vulnerability that exists on a huge number of websites (cross-site scripting attacks – XSS). Only because Twitter is the flavor of the month is there so much attention paid to this XSS attack.

There is evidence that there are thousands of these attacks going on every day, but since the web sites aren’t called Twitter, the attack is not on the radar screen for mainstream media. I fear that all the attention will be on Twitter, and on a young man seeking his 15 minutes of fame, rather than on the same serious security issues that are present on many, many other web sites.

Note to Tweeters: You should add layers of security to your Twitter usage, if you have not already done so. HOWTO: Protect Yourself On Twitter (Lessons Learned From The StalkDaily Twitter Hack)

If you like this posting, please consider  LISTENING TO AND SUBSCRIBING TO THE DATA SECURITY PODCAST

Data Security Podcast Episode 44 – Mar 16 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities with tags , , , , , , , on March 15, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Card merchants ignoring wireless security; Crypto, mobile VoIP, unlimited vox and data:  The smartest smartphone?  And the week’s news.

–> Stream, subscribe or download Episode 44 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 44 of The Data Security Podcast

-From The News:  Cnet has excellent team coverage of Craigslist, and the accusations that it is a hub for illegal sex offerings.

- From The News:  The PCI Security Council releases a Prioritized Approach Guide and Worksheet to help merchants with a six-step approach to PCI DSS compliance.

-From The News:  How to update Foxit PDF reader; Go to Help Menu-> Select Check for Updates -> and choose the option at or on the bottom of the list, 3.0.2009.1506 (or a higher number).

-Tales From The Dark Web:  Read Randy Abrams from ESET Anti-Virus company and his experience communicating with Google about Dark Web software he found on Google’s Blogspot.com .

-Conversation:  Ira speaks with Ben Pilani of Zer01mobile.com. They are going to offer smartphone software that includes:  Encryption, VoIP, unlimted voice and data.  Ira and Ben talk about security protocals used (SSL), and issues related to using Real Time Protocol (RTP) over the slow GSM cellular networks.

Data Security Podcast Episode 24 – Oct 28 2008

Posted in Podcast with tags , , , , on October 27, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Cross Site Scripting impacts Yahoo; eVoting security; Congress wants iPhones, what are the security impacts? Plus, the latest data security news.

–> Stream, subscribe or download Episode 24 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 24

From the news: Capital Hill wants taxpayer supplied iPhones, potentially impacting data security.

Tales From The DarkWeb – Cross Site Scripting Attacks hit Yahoo users.

Conversation with Jacob West about eVoting security. Read the Fortify Software report on eVoting security.

Follow

Get every new post delivered to your Inbox.

Join 1,064 other followers