Archive for July, 2008

Data Security Podcast Episode 11 – July 28 2008

Posted in Podcast with tags , , , , on July 28, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

In this week’s episode: Interview with of Marc Tobias, white hat lockpicker and lawyer;
Coreflood botnet stealing enterprise passwords; and the latest data security news

–> Stream, subscribe or download Episode 11Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 11


1. Finally, some actual information on the Childs case. Excellent reports from Paul Venezia, at InfoWorld.

2. COPA – Children Online Protection Act; ACLU v. Mukasey – Opinion of the Court

3. Security firm Promisec announced findings from security audits of more than 100,000 corporate endpoints. See more details from Ira’s blog posting about this of earlier today.

Interview Notes:

Marc Weber Tobias, Esq., author of, THE COMPROMISE OF MEDECO® HIGH SECURITY LOCKS: New Techniques of Forced, Covert, and Surreptitious Entry

Preview Marc’s upcoming talk at DefCon, Aug. 2008: Open in 30 Seconds: Cracking One of the Most Secure Locks in America

Tales From The Dark Web:

Password-stealing Trojan is spreading like a worm – and targeted directly at the enterprise. Read the details in the story by Tim Wilson, and the comments David Jevans, Chairman of the Anti-Phishing Working Group


Promisec Release Findings from Security Audits of 100,000 Desktops

Posted in Vulnerabilities with tags , , on July 28, 2008 by datasecurityblog

In scans of more than 100,000 PCs and servers across a number of industries shows alarming rise in internal security threats in the past year.

Security firm Promisec announced findings from security audits of more than 100,000 corporate endpoints. The audits were conducted in the first six months of 2008 in enterprises of different sizes and revealed that not even one organization was completely clean from internal threats, and the minimum number of threats found was three.

Promisec’s security audits were done across a number of industries, including finance, healthcare, insurance, manufacturing, etc. and found that:

• Use of unauthorized removable storage continues to rise in organizations.

• The number of endpoints that do not apply threat management agents or are not updated with the latest build or signatures continues to rise.

• Instances of unauthorized instant messaging continue to increase in all organizations.

Promisec discovered:
– 12% of infected computers had a missing or disabled anti-virus program

– 10.7% had unauthorized personal storage like USB sticks or external hard drives,

– 9.1% had unauthorized peer-to-peer (P2P) applications installed

Of note: dramatic increase in poor security postures verus the 2007 study results.
For example, the percentage of infected computers with unauthorized remote control software had increased by more than 200-fold; a 12-fold increase in PCs with diabled anti-virus; and a 10-fold increase in PCs with unauthorized storage, like USB drives, iPods, or smartphones.

Data Security Podcast Episode 10 – July 21 2008

Posted in Podcast with tags , , , on July 21, 2008 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, the law, and the digital underworld.

In this week’s episode: A tracking tool to follow Office files when they leave your server, remote access security, and the latest data security news.

–> Stream, subscribe or download Episode 10Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by DeviceLock

Program Notes for Episode 10:

1. Temporarily blind surveillance cameras

2. The Plot Thickens on The City of San Francisco Network Lockout. Read the excellent story in PC World.

3. Myspace pages used against people in court. Read more in the AP story by Eric Tucker.

4. Dark Web advertises Trojan with a guarantee to evade anti-virus software. Details from Tech Digest.

Interview Notes:

Interview 1: Brian Klug of , an interesting free utility to track documents

Interview 2: Andrew Hay of Q1Labs on security and remote access

SANS Webcast: Separated at Birth – Identity and Access Reunited!

SANS Tool Talk Webcast: Log Management: No Longer Optional – How to Choose the Right Tool for the Job

Q1 whitepapers

– Leveraging Log Management to Boost Enterprise IT Security

– A Proactive Approach to Battling Today’s Complex Network Threats

– Beyond the Perimeter: Enterprise-wide Intrusion Prevention White Paper

– Lessons in Threat Management: Lowering Security Risks in Campus Networks White Paper

Our guest, Andrew, has a Blog here

Malware hiding as a UPS tracking email could hit enterprise networks

Posted in eMail Security with tags , , on July 20, 2008 by datasecurityblog

According to Consumer Reports, and anti-spam company Marshal, there is a new wave of email malware being sent by members of the Darkweb. The Marshal posting shows a screen shot of the email and the attachment icons. This story will also be covered in Episode 10 of the Data Security Podcast, scheduled to post no later than Tuesday on this site.

The email looks like a UPS message about package tracing. A rather common email that people receive every business day.

Except, this message says the package has been delayed, and instructs the victim to open the attached “invoice” and go to the local UPS depot to arrange to receive the package. The attachment is an executable that hides itself with a common Microsoft Word icon, further fooling users.

Once the attachment is opened, the hidden malware is designed to connect the victim’s computer to a Russian server. That server installs a rootkit in the victim’s computer, which can give the attacker total control of the victim’s system, and access to information on that computer, and potentially other computers connected to the compromised system through network shares.

The Consumer report reports that UPS says they “rarely” sends attachments in it’s communications with their customers.

The question remains: Why does UPS need to send attachments at all when sending delivery information? If business users would stick to text-only, non-HTML messages, then users would know to not open attachments, even when they look legit. Plus, the ever growing mobile email users would always be able to read important messages on the go. If you administer an email system, it may be prudent to block .exe files, if you are not doing so already.

Data Security Podcast Episode 9 – July 14 2008

Posted in Podcast with tags , on July 14, 2008 by datasecurityblog

This is the NEW place for news and analysis every week on data security, the law, and the digital underworld. I will blog on this site, and starting next week, Podcast from this site, iTunes, and Feedburner. You can listen to Episodes 1-9 at The GovTech Security News Podcast Site.

LISTEN TO Episode 9: Interview with Bryan Sartin of Verizon Business. You can also find this program on iTunes, by searching for our original program name, GovTech Security News.

Podcast Show Note: “2008 Data Breach Investigations Report”

Fundamental Flaw in DNS Threatens Data for Many

Posted in Vulnerabilities on July 12, 2008 by datasecurityblog

DNS is the Domain Name System that routes traffic over the Internet. As you know, computers know numbers, not letters. So when you type: into a web browser, the DNS server at your office or ISP looks up the IP address of this site, and translates that lookup result into a number. That number then allows that site to appear on your web browser screen. If instead, that translation is hijacked, and you are taken to a site that LOOKS just like, but is actually an attacker’s site that could result in a serious data breach.

It’s important that we can trust the DNS servers to take us the real destination. In information security, this is called: integrity. Integrity in this context means trusting that the page we see is authentic and really is’s site.

Dan Kaminsky, director of penetration testing at security firm IOActive discovered, quite by accident, a fundamental flaw that effects most of the thousands upon thousands of DNS servers used today.

Dan helped coordinate a secret meeting at Microsoft a few months ago that also included Cisco, Sun and other leading IT firms. The attendees agreed to coordinate a large scale, simultaneous release of a fix, or patch, for this flaw, so that site owners could update the DNS servers quickly. That release took place this week. As of this week, no known attacks had occurred using this flaw, and the hope is that systems are patched before the bad guys can create an attack that exploits this flaw.

Here is what you need to ask: Where is your DNS resolved? Or you could ask, “Where is our DNS Server?” Internally on your corporate network? At your ISP? With another firm? Some combination? Is or are your DNS servers patched against this flaw?

Don’t assume that your DNS is up to date just because you are using a Microsoft DNS server, or just because you get your DNS from a large ISP. According the press reports, some DNS servers are so old, they can’t be patched successfully.

Five days have passed since this announcement, and the ATT DNS servers that many millions use for Internet access have still not been patched, according to a tool that Dan Kaminsky wrote. A link to that tool is provided below. I used to check some of ATT’s DNS servers. Are these servers too old to be patched, is ATT waiting “for a problem to occurr” before patching? Are the servers being patched as you read this? It is difficult to determine why at this point, but the fact remains that their users could be victims of one of these attacks.

Once you determine how you get your DNS, you want to get the IP address for that DNS server. A DNS IP address will look something like: . I recommend setting the network settings on your computer to match the DNS server or servers you are using, and then run Dan’s tool to check the results for each server(s).

There is a free DNS service called OpenDNS. You can point your computers, devices, and networks to OpenDNS and use their free service for your DNS. OpenDNS also can filter out porn content, horoscope sites, betting sites and other “not safe for work” sites. OpenDNS claims that their servers were never open to this flaw. When I tested them with Dan’s tool, they pass his test. Here are some OpenDNS servers that you can use without even signing up for the added features: and208.67.220.220 .

How do they do this for free? If you have ever typed in a wrong address on the web, you know you get an error page. Well, when using OpenDNS, that page comes back with a Google Search engine, where a portion of the ad revenue is split with OpenDNS.

Don’t ignore this flaw, as the very nature of if would mean that you might never know if you have been a victim until it is to late.

Here are some helpful links:

1. US-Computer Emergency Response Team, Multiple DNS implementations vulnerable to cache poisoning

2. Dan Kaminsky’s DNS flaw check tool is on upper right corner of this page

3. OpenDNS