Episode 123 – March 27, 2010

Episode 123 features two interviews, and the show is 72 minutes long.

First — an amazing story about a scareware company that sold hundreds of millions worth of fake antivirus. A big, big, business with offices across the globe, 650 employees, and a tech support operation for the “customers” who bought the fake software. Writer Jim Giles tells the story. Jim’s interview starts about 21 minutes into the show. His article for New Scientist is featured here.

Later in the show – we talk to the Director of Global Electronics Systems Engineering at Ford Motor Company, Jim Buczkowski. Ford has put a firewall between the dashboard, where you jack in with your mobile device, and the car’s computer systems.  The thinking is, if your device is infected,we  wouldn’t want it to cause break failure or something like that! Ford is ahead of the game on this. Ford’s Sync system is multi-functional communication system in the dashboard. Here’s hoping it lives up to its promise. The interview starts approximately 58 minutes into the show.

Our Take on This Week’s News:

Lead story? This article in the U.K.Telegraph touts “typeprint analysis” as as if it were a hot new development, and reports that British researchers are looking for a grant to study it further as a way to monitor whether there are pedophiles online, chatting with the kids. Is anyone else sick of pedophilia and other sex crimes as a frame on which to hang funding requests and tax increases? This article doesn’t read well, and it certainly doesn’t break any technology news. The researchers mention that there are private sector uses for their work. All well and good, particularly since positive ID for banking transactions is among them. So why hide behind the pedophiles?  And why did the reporter not dig deeper into what’s new and different about this use of an established technology?

It’s tax season, and of course, the cybercriminals are focused on whatever preoccupies the rest of us. A new email scam features a fake IRS email notice… which leads to a zeus attack. NOTE TO EMPLOYERS AND I T ADMINS: This could show up in your employees’ inbox as an email from your company…. as in: “we have overcalculated your social security tax, and we need to fix it before April 15.” Or some such nonsense. You should write a memo immediately, alerting employees that they are to ignore any email that induces them to action regarding taxes.

Federal employees have received 12 months probation and community service as punishment for viewing (collectively) 900 confidential passport applications. Nobody appears to have been fired for this. At least the justice department press release doesn’t mention any firings.

Here’s a story we picked up at RSA in San Francisco. Tom Murphy, Chief Strategy Officer of  Bit9,  discusses (among other things) targeted attacks that are narrower than spam, viruses and botnets. They are customized to specific organizations to steal specific information. Bit9 has some free security tools that could help.

CanSecWest hacking contest: The predictions were correct. iPhone fell first (it took 20 seconds). Then Apple Safari. Then IE8 on Windows 7. See references below.

iPhone: http://blogs.zdnet.com/security/?p=5836&tag=col1;post-5846

Apple OSX and Apple Safari: http://blogs.zdnet.com/security/?p=5846&tag=col1;post-5855

Windows7 IE8: http://blogs.zdnet.com/security/?p=5855&tag=content;col2

Nonetheless, your employees will be bringing their new iPads to work. Tony Bradley offers a lot of security questions businesses need to ask. Ask them this week, before the iPad hits the stores. (Tony Bradley is co-author of Unified Communications for Dummies . He tweets as @Tony_BradleyPCW . You can follow him on his Facebook page , or contact him by email at tony_bradley@pcworld.com) .

Security training can be – well – boring. The employees sit in a seminar and listen to abstract descriptions of attacks. And they never get a chance to practice what they learn. So that’s why researchers at Carnegie Mellon University decided to try training that includes “microgames.” Little games employees can play in a few minutes. The objective is to teach them about phishing attacks…. How to discern a “good URL” from a “bad URL.” Then the researchers measured whether the gamers retained the information. And most did. The fun interaction with the phishing lesson made a difference. CMU’s Dr. Jason Hong directed the research. We have posted an interview with him on the conference notes page. His team is marketing their training games now. The company is called Wombat Security.

Virtual Machines – an attractive solution in these times when money is tight. But before you virtualize, update your security plan. Here are some tips from F5 Netorks.

Hate to say we told you so…. Airport worker given police warning for ‘misusing’ body scanner. If by “misusing” you mean “taking a picture of your co-worker as she walks through it.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: