Peter Eckersly of the Electronic Frontier Foundation announces the results of his research project called Panopticlick . Bottom line – 94 percent of computers leave a unique fingerprint on websites. The interview starts about 25 minutes into episode 141. Episode 141 is one hour and 12 minutes long. You can listen by clicking on the flash player below, or there are other ways of listening to the show on our “listening options “ page.
To listen to Episode 141 via the flash player:
Chris Hogue tells us about his upcoming presentation to a SANS Forensics and Incident Response Summit in Washington DC. He’s discussing “Sniper Forensics”… it’s a new approach to computer forensics. The interview begins about 55 minutes into episode 141.
Our Take on This Week’s News
Zeus-style banking attack perpetrated on a credit union in Salt Lake City. The bad guys apparently penetrated an employee’s desktop computer, and then were able to get into the bank system. $100K disappeared, largely in $5K increments. Credit Union president says the attack got past the company’s Norton… Geez
Remember the Pennsylvania school district that gave its students laptops loaded with tracking software… and then proceeded to collect hundreds of photos of the kids at home, snapped through the laptop lenses… well it seems the tracking software on the Lower Marion laptops can be easily hacked. A security company did some research on it, and here’s what they found.
Josh Levy, a writer, internet strategist, and the organizer of a project called “pledge to leave facebook.” The interview is 9 minutes long, and it starts about 56 minutes into the show. Episode 139 is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or click on the listening options page for other ways to listen.
To listen to Episode 139 via the flash player:
Our take on this week’s news:
Co-host Ira Victor is out of town. Lee Rowland from the ACLU of Nevada sits in as guest co-host for a first-hour privacy round-up. Recent issues include:
The Houston Police Department recently held a secret (no media allowed) event where the invited guests contemplated the use of drone aircraft for domestic law enforcement. Nonetheless, one news outlet got wind of it, and stationed its television cameras on the property next door. They caught the launch of the drone on camera. Cops say they aren’t sure how they’ll use the technology, but aren’t ruling out anything. Watch the whole report. It’s about four minutes long.
TSA continues to roll out the full body scanning machines to airports across the nation. Passengers don’t seem to be aware that they can opt for a pat-down instead of a virtual strip search.
Tough week for Facebook. The Wall Street Journal reports the company gave personal info to advertisers. EFF offers insight.
On the heels of a CBS news investigative report about the data left on copy machine hard drives, the FTC is applying pressure to the makers of the machines to educate customers about scrubbing the hard drives. (Xerox is leading the pack, according to one account.)
Not cool enough for a mac? Why the Apple Store refused to sell an iPad to a disabled woman. (She wanted to pay cash. Apple’s iPad policy was credit or debit card only.) And why Apple relented, and delivered the device to her home a few days later. (San Francisco television consumer reporter Michael Finney and his news feature “7 on Your Side” shamed them into it.)
Interview Segment – Jason Miller, Data and Security Team Manager for Shavlik Technologies on patch management. It’s not a sexy topic, but it’s critically important. Jason says patching should be determined by the needs of the business, rather than the importance rating issued by Microsoft or other vendors. The interview is 7 minutes 38 seconds long, and it starts at about 21 minutes into episode 137.
You may listen to to Episode 137 on via the flash player:
And Google admits that its Street View cars have been slurping up wireless access point information. There’s a lot of anger over this, and we’re predicting an advertiser backlash against the privacy violators.
As if Goldman Sachs doesn’t have enough problems… Now the company is being sued for intellectual property theft.
Nine former employees of an education agency in Iowa were indicted for sneaking a peak at Presidential candidate Barack Obama’s student loan records.
A new twist on a familiar theme. A big company with a security flaw on its website; a security expert discovers it and tries to report it, but the company ignores him or pats him on the head and tells him to go away. This happens with surprising regularity. In this case, Smackdown blogger Michael VanDeMer writes about a spate of hacks to blogs hosted by GoDaddy.
If your company accepts credit cards, listen to our featured interview with Richard Moulds from security firm Thales. He and Ira discuss the upcoming revision of Payment Card Industry standards. (Standards are set by the PCI Security Standards Council). Thales sponsored a survey of PCI auditors, to discover where they believe the weak spots are, and where improvements should be made. The interview is 11 minutes long, and it starts 56 minutes into Episode 135.
You may listen to to Episode 135 on via the flash player:
FedGov wants to snoop into your financial transactions: As most major news organizations have reported, there are potential privacy hazards for consumers and merchants lurking in the federal financial reform bill. Republicans objected last week to the creation of two agencies that would be empowered to scrutinize purchases made on credit. We’re thankful the subject was raised, but we note that the Republicans very likely were using consumer privacy as a bargaining chip to get other changes in the bill that they consider truly important. Let’s not be lulled into believing that citizen privacy is not a priority for any legislator when there are other issues on the table. Sure enough, this article, published a day and a half later, bears out our assertion. It’s a three-page report indicating that Republican objections had been trounced. In three pages of reporting, not a mention of the privacy concerns, so it’s clear that other matters dominated the discussion, and any concerns over privacy must have evaporated in the backroom discussions.
BTW – those two snooping “consumer protection” agencies would be located within the Federal Reserve and the U.S. Department of Treasury. Well, it seems that Treasury is having some data security problems right now. PandaLabs has located easy-as-pie hacker kits with targets that include the U.S. Treasury.
Computer glitches hamper census: Remember how much money and effort was spent persuading you to return your census form? Now the GAO reports fairly significant problems with the computer system that was specially designed for processing the paper responses. For the moment, they’re reporting major cost overruns — AND — that a lot of the paper responses might not be counted anyway. Why is this in our data security beat? Because information security has three pillars: Confidentiality, Integrity, and Availability. We can rule out data integrity here, because the census data most likely won’t be accurate. Rule out confidentiality, because, as congress has now been informed, stacks of paper responses are piled up in offices waiting to be entered into the system. And we should probably rule out availability too, unless the many agencies making use of census data want to trudge over to the commerce department and analyze it by hand.
You may have seen this by now: Hats off to CBS news for their coverage of the copy machine hard drives left unscrubbed when the machines are discarded by business. Chilling. Few mainstream news organizations are doing good coverage of these issues, and we hope this CBS reporter wins an award for his excellent work.
Did fedgov use drones to track the Times Square bomber? This story has not been reported anywhere else, but the source seems credible. Leaving us to wonder about the Obama administration’s public preference for giving suspected terrorists constitutional rights. A terrorist is either a criminal suspect or a combatant. Not both. If there is a behind-the-scenes use of military signal intelligence to track criminals, then they are not criminals, they are combatants. Or are they? Let’s decide and stick with one course.
Caller Kevin wanted to know how to diagnose mysterious CPU spikes on his system. Is there a security issue here? Ira promised to look up a free utility that can help. Long ago, when The CyberJungle was still the Data Security Podcast, we reported on MimarSinan’s Rubber Ducky System Monitor. Jim Murray, the creator of this utility, talked with us about how he came up with the software after his wife’s computer system came under attack.
Jon Pironti, President of IP Architects, LLC, talks with us about risk management for businesses. Ira met John at the Interop Business Technology Conference in Las Vegas, where John presented a session on developing an information risk management and security strategy. The interview 9s 12 minutes long, and it starts about 22 minutes into Episode 133. The standalone interview is also posted on our conference notes page.
You may listen to to Episode 133 on via the flash player:
Former city of San Francisco network engineer convicted of computer tampering for locking city officials out of the network when he got wind of impending layoffs.
Sarah Palin’s email hacker convicted. The following account is from WBIR in Knoxville, TN. Ira has his own detailed version, as he kept close track of the initial events that led to David Kernell’s arrest. Ira’s account starts about 45 minutes into episode 133
A federal jury found former UT student David Kernell guilty of obstruction of justice and unauthorized access in the breach of Sarah Palin’s e-mail. It happened in September 2008, when Palin was running for U.S. Vice President. The obstruction of justice conviction makes Kernell a felon. David Kernall tried to cover up his actions by erasing the hard drive of the computer he used in the crimes. The case is a mistrial on count one, the charge of identity theft. The jury found Kernell not guilty on count 2, the charge of wire fraud. Unauthorized access is a misdemeanor lesser included charge from count three, which accused Kernell of felony unlawful computer access. The jury found Kernell guilty of obstruction of justice. That carries a maximum sentence of 20 years in prison, with a fine up to $250,000.
Hot Topics at Interop 2010 Las Vegas: Cloud Computing, Virtualization, IT Security and Risk Management, VoIP and Unified Communications, Mobile Business Communications. Ira discusses the conference, starting about 11 minutes into episode 133.
Ira spoke with Michael Saitow, CIO of Liquor Distributor, MS Walker; and Philippe Winthrop, Managing Director, The Enterprise Mobility Foundation, both were panelist on a mobile communications and policy seminar at Interop.
Money laundering operation shut down, as an entrepreneur is indicted: ACH Transactions Used to move money for internet gambling operations
Another indictment: conspirator in hospital scheme to sell trauma patient medical records to personal injury attorneys.