Archive for October, 2010

October 31, 2010 – Episode 185

Posted in Report Security Flaws, The CyberJungle with tags on October 30, 2010 by datasecurityblog

Episode 185:

This week’s regular episode of  The Cyberjungle  is 1 hour and 17 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 185 via the flash player:

Our Take on This Week’s News

We abandoned our format today for a discussion of electronic voting irregularities, based on news coverage  coming out of Nevada and North Carolina.  We were rankled when  Nevada  election officials  proclaimed it “technologically impossible” that voter’s electronic ballot was “premarked” for Harry Reid when she inserted it into the machine.  According to the voter, several people she knows experienced the same thing.

Did it happen? We don’t know, but we don’t want to hear our election officials telling voters or the press that such fraud is impossible.  Not only is electronic data manipulation always possible, but voting machine flaws have been demonstrated repeatedly.  And those demonstrations don’t even contemplate polling place procedures, reliance on volunteer poll workers, huge amounts of money involved in high-stakes races, and the long planning period that would be possible between elections.

What’s impossible is putting your faith in people who don’t acknowledge that electronic fraud can occur.  It would be far more comforting to me as a voter to hear them acknowledge that fraud is an ever-present concern, and then tell us some (not all) of the measures they take to prevent it.

“There’s no evidence,” they said, which is what the folks in charge say after most data breaches.  “There’s no evidence anyone was harmed” is a phrase you will find in almost every data breach news story where anyone from management is quoted.

The election officials went beyond that, blaming the problem on sloppy voters touching sensitive screens.   This explanation does nothing to calm the emotional voter who believes something has gone haywire with his or her vote.  And voter fear and frustration does not foster trust in government.

So we decided to develop an evidence preservation guide for the average voter. That way, if something odd happens, there will be evidence, which will be of great help in figuring out what went wrong, or at least provide a more comforting explanation than “it’s impossible.”

Remain skeptical when you vote, but don’t be paranoid. Most votes, most of the time, are counted and recorded accurately.

Ten Steps: A Forensic Approach to Touch Screen Voting:

1) Planning ahead before going to the polls is important. “Plan the dive, and dive the plan” as the saying goes.

2) If your cell phone has a camera:  Calibrate the time/date on your phone.  Just about every cell phone or smart phone has a setting to calibrate the phone’s time with the carrier. This will give you a fairly accurate time stamp.  If your cell phone does not have a camera, or you don’t own a cell phone, bring a camera and a watch (with the correct time) with you to the polls.  Bring a pen a paper with you to the polls, or know how to use the note or email feature of your cell phone/ smartphone.

3) When you are about to start voting, don’t touch the electronic voting machine screen with anything other than the pointer/eraser you are give. “Fat fingering” the screen is common. If you observe any irregularities before, during, or after you register your votes, take a picture of the screen(s). Note the time you took the photos.

4) Locate the serial number on the voting machine and write it down (it might be on the front, or the back of the machine, but each machine has a unique control number).

5) Find the transaction number or your voter number, if you have gone far enough to generate one. Write that number down.

6) Explain the problem to a poll worker.  Most poll workers will be helpful, but voters should never assume that poll-workers are the final authority on fraud and machine malfunctions. Some poll workers may repeat the misinformation that mal-programmed machines are “impossible.”

7) If it is determined that a machine failure has occurred, ask to vote on another machine. Make sure that vote occurs smoothly.

8) If you don’t get satisfaction from the poll worker, talk to the poll manager. If you don’t get satisfaction at that level, ask if there are any observers present from the political parties or the secretary of state’s office. Keep your documentation of what happened.

9) If nobody on site can give you satisfaction, take the information you have recorded, and call or go to the election office at your county government complex.  If you do not get satisfaction at the county level, contact the secretary of state’s office for your state.

10) Only after you have gone through these steps, and no satisfactory explanation has resulted, should you alert the media. If you have exhausted the steps above, a good reporter will want a copy of your information, and a BRIEF description of what happened.


October 24, 2010 – Episode 183

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Legislation, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , on October 23, 2010 by datasecurityblog

Episode 183:

This week’s regular episode of  The Cyberjungle  is 1 hour and 18 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 183 via the flash player:


Joe Levy, Chief Technical Officer with  Solera Networks, stops by to discuss the Zeus Trojan variant that’s making its way around the IRS offices.  Joe’s  interview is 6 minutes long, and it begins about 25 minutes into Episode 183.

Tales from the Dark Web

If cybercrime were a disease, it would be a pandemic and the whole world would be sick. So says a report from Kroll and The Economist Intelligence Unit

Our Take on This Week’s News

School bus surveillance cams – School buses equipped with traffic cams.  It’s an experiment in a Maryland school district, where officials say the little darlings are in more danger as they alight from the bus than any other time, although no child in Maryland has ever been hit while alighting from a school bus.

Insurance companies view social networkers as burglary risks – Duh.  A survey by an insurance trade group indicates a significant number of Facebook and Twitter post their locations, and it’s worth considering whether to reflect this in their insurance rates.

And while we’re ragging on Facebook – Are gay users of Facebook being outed to advertisers for targeted product marketing? Duh again.

Ten oreos, two handfuls of fritos, a pint of Ben and Jerry’s – Are you aware that when you make use of web tools that allow you to keep track your personal behavior, that information could become discoverable in court? (Diet websites come to mind.)

Participants wanted– A new project to monitor BlackBerry traffic as it is sent from various countries. The results will help researchers and users understand what’s happening to the communications as RIM is pressured to cooperate with repressive governments.

More BlackBerry news –  The how and why of BlackBerry eavesdropping, and why it might not be what you think.

A new tool for good guys,- And bad guys, parents, employers, forensic investigators, and everyone who needs to keep tabs on someone.  ElcomSoft tool cracks web browser passwords.

CyberJungle FAQ

Shockwave Zero-day Attack In the Wild

Fake Microsoft Security Essentials Attack

October 17, 2010 – Episode 181

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Legislation, The CyberJungle, Vulnerabilities with tags , , , , , on October 17, 2010 by datasecurityblog

Episode 181:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 181 via the flash player:


Jason Miller, patch management expert with Shavlik Technologies, tells us how to deal with the biggest patch release in modern IT history… which took place on Tuesday, October 12.  Jason’s  interview is 8 minutes long, and it begins about 24 minutes into Episode 181.

Tales from the Dark Web

You’ve  heard of  “software as a service”… Now there’s “crimeware as service” —  a convenient way for the bad guys to outsource their criminal acts.

Our Take on This Week’s News

What’s in your medicine cabinet? The Feds and 34 states are putting together a giant prescription drug database so they can review the contents.

What did he know, and when did he know it? At least one IT staffer in the Lower Marion School District waxed fondly about the remote tracking capabilities on the laptops issued to students who later sued the district for spying on them.

Bullying is bad, um-kay? President Obama holds a town hall with MTV viewers, during which he tells them there should be zero tolerance for bullying — cyber or otherwise.

Security tradeoff: caution for coolness – Device Reputation Service Reveals iPhone at Top of Mobile Transaction Fraud Risk.

Your building pass could be more valuable than ever – Some federal employees will see their CACs (common access RFID cards) expanded. They’ll still get the card holder into a building or a computer system. But the cards will be expanded to include to include mass transit fares, debit payment, and ATM functionality… all in one card.

Mixing business and pleasure – Explosive growth of mobile devices leads to security risks as workers use their own devices to store and transmit work data.

Fun finder or stalker tool? The website monitors social networking sites to help dudes locate gatherings of women.  But blogger Jason Stamper conducted an experiment that points out the dangers women might face when they publish all the details of their daily lives.

Kudos for baking it in! New version of Opera to have extensions with software code check for security.

October 10, 2010- Episode 179

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Show Notes, The CyberJungle, Vulnerabilities with tags , , , on October 9, 2010 by datasecurityblog

Episode 179:

This week’s regular episode of  The Cyberjungle  is 1 hour and 20 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 179 via the flash player:


Kevin Johnson is a security researcher with Secure Ideas. We met him in  September at the SANS network security conference in Las Vegas, where he discussed the challenges of integrating social network users into a business environment. Kevin’s  interview is 8 minutes long, and it begins about 26 minutes into Episode 179.

Tales from the Dark Web

A Nigerian record producer and part-time cybercriminal is on the FBI’s most wanted list. You probably won’t see this guy at the Grammys this year.

Our Take on This Week’s News

Free on bail – A contractor who did some work for Fannie Mae is looking at a maximum 10-year prison sentence after planting a malware bomb that would have brought down 5,ooo servers had it not been discovered. Lessons about the importance of logs, and keeping track of which employer is responsible for “passthrough” employees.

Peeing in a cup is so 1990s – When there’s a company that will crawl through your social network to help your employer discover who you really are. Psychological profile, criminal tendencies, gratuitous use of slang popularized by drug culture, you name it.

No such thing as cyberbullying –  So says blogger Anil Dash, who argues that the word has been invented to help parents, school administrators, and the media duck responsibility for teaching kids civil behavior.

Golddigger falls for own husband posing as rich guy –  And he found out where his golddigging wife was living, after she took off with their son. His scheme – posing on Facebook as someone she would find “attractive” (i.e. wealthy). Father and son are reunited.

Sophisticated payment card terminal breach- Hardware hacks are posing a bigger cybercrime problem these days.  This attack was geographically widespread, suggesting the bad guys actually went into grocery stores in 11 states, distracted the employees, and changed out the payment terminals.

Dead people can now vote online – Online voting is not ready for prime time, as this mock election in Washington D.C. revealed.  What a mess!  The good news – they actually tested the system before they forced voters to use it. The bad news – they wait until four weeks before the election to do the test.

I like to watch –  Dallas kicks off the iwatch program.

We’ve dished out plenty of  iPhone criticism – but it turns out the BlackBerry has a killer flaw.

Hey, we’ve been looking for that – Mechanic discovers FBI tracking device while working on a car belonging to an American student of Egyptian descent.  Zaniness ensues.

October 3, 2010- Episode 177

Posted in Breach, Court Cases, criminal forensics, darkweb, Legislation, Podcast, The CyberJungle, Vulnerabilities, web server security with tags , , , on October 3, 2010 by datasecurityblog

Episode 177:

This week’s regular episode of  The Cyberjungle  is 1 hour and 16 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 177 via the flash player:


Dr. Eric Cole is an instructor at the SANS Institute and a CTO with McAfee.  He discusses data security based upon actions, rather than just signatures of attacks.  Dr. Cole’s interview begins about 25 minutes into Episode 177.

Tales from the Dark Web

Restaurant Security Fails – $200,000 in fraudulent credit card charges made after a restaurant purchased a new PCI compliant point of sale system, but failed to take the other steps needed to secure the information. Many businesses are failing to secure their point of sale systems and other parts of their business. They run out of date software, insecure systems. Most small businesses still don’t think they are a target for cyber criminals.

Our Take on This Week’s News

Obama Administration seeks wiretap access through backdoors to all online communication channels. The effort would include a requirement for access to encrypted communications. The EFF points out this battle has already been won once.

Rat on your neighbor, part II – Meanwhile, Department of Homeland Security launches a suspicious activity report database.

Poor Tyler Clementi, the Rutgers student whose gay tryst was available to his roommate’s chat partners via webcam, has not yet been laid to rest, and a state lawmaker is seizing upon his suicide to get attention for herself. Thumbs way down to these vultures who climb upon the bones of dead teenagers to get publicity or to shill for legislation that would otherwise go nowhere. This is all too common.

Another episode of Databreach Theater – Courthouse News reports on a databreach case originating in a Kansas prison.  The Six Circuit Court apparently concluded that an act can be simultaneously “inadvertent” and “willful.”

Zeus arrests – Bank Account Takeover Attack gang members arrested in three countries. The Zues attacks nonetheless continue, with one of many variants now targeting mobile banking users.

Judge acquits speeding motorcyclist who used a helmet cam to record traffic antics and a traffic stop by an armed plain-clothes cop.

Stuxnet Update- The Saga Continues: Could this attack ‘inspire’ similar attacks? Was the attack targeting India rather than Iran? China has also had a taste of Stuxnet.

Bug Bounty -Should major cloud services/sites set up a bounty system for web app bugs?

CyberJungle FAQ:

Skip the Adobe PDF mess and download Foxitsoftware’s PDF reader

For easy, much more secure tool one can use for online banking, use Webconverger