Archive for the Uncategorized Category

RSA Conference 2015: Opening Keynotes, Tuesday April 21st 2015

Posted in Uncategorized on April 22, 2015 by datasecurityblog

The Opening Keynotes for RSA Conference 2015 seemed like a safe bet, if judged by the lines to get into the Keynote auditorium at Moscone Center in San Francisco. The CyberJungle showed up early, and encountered a massive line, of people, grabbing a “brown bag” breakfast of a ham and egg sandwich. So, we skipped that line, grabbed a bite nearby and came back to just see the keynotes.

Just at the moment it was our turn in line to enter, the security people said the room just hit capacity, and The CyberJungle had to view the keynotes in an overflow room filled with a massive video display.

While the technology in that room was great, the keynotes were a snore. Jane Lynch from Glee was doing a sing and dance number that was more appropriate for a G-rated MTV Music award performance, backup singers included.  Snore.

The opening Keynote by RSA Head Honcho Amit Yoran had some good nuggets about the transformation of security into everything around us (think Internet of Things, Smart Cars, etc), there was still a lot of marketing fluff over computer science substance.

‘Whit’ Diffie, one of the Godfather’s of crypto was in a panel, and didn’t dissapoint with his insights into the future of crypto.

Overall, The CyberJungle wishes for more substance and less sizzle in next year’s opening keynotes.

December 7, 2010 – Episode 190

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle, Uncategorized, Vulnerabilities with tags , , , on December 7, 2010 by datasecurityblog

Episode 190 of  The Cyberjungle  is 36 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 190 via the flash player:

Interview

Interview with Marc Maiffret, eEye CTO, on 0days, and a new free 0day detection tool. Read the announcement: eEye Delivers Centralized, End-to-End Vulnerability and Compliance Management Solution. White paper from eEye.

Tales from the Dark Web

The King of Spam gets busted while shopping for custom car accessories at SEMA Las Vegas.

Our Take On This Week’s News

Warrantless tracking of car rentals, credit card sales, and even supermarket club cards: Researcher Christopher Soghoian discovered law enforcement uses something called a “hotwatch order” that allows real-time surveillance of purchases and movement.

Think Hillary Clinton is p o’d at Julian Assange? What about this woman, whose chats, emails, photos, and facebook messages were turned over to New York Magazine, reportedly by Wikileaks. Poor Claire… now friends know she hates their weddings, and her boss knows what she thinks about him. Nice of New York Mag to redact the name of Claire’s boss, but it was kind of a meaningless gesture since they posted a photo of her.

Sherrif’s Department Data Breach could put people at risk. IT staffer posts confidential law enforcement data to an unprotected web server. Poor policy, poor procedures, or both?


From the Expo Floor at RSA – And you thought your computer was buggy…

Posted in Uncategorized on March 2, 2010 by datasecurityblog

If this doesn’t get the point across, we don’t know what would.  (They’re real, and they’re spectacular.) Someone in the eset marketing department deserves a raise and a promotion for this exhibit.  To see and hear more serious reports about the RSA Security Conference  in San Francisco, see our Conference Notes page. We’ll post new material several times daily. The Conference Notes page also has its own RSS feed, so if you’re interested, you can be notified whenever there’s a new post.

Cybersecurity Act: Is Federal InfoSec License Key To ‘Net Control?

Posted in Uncategorized on August 28, 2009 by datasecurityblog

The Internet is abuzz today with the reports by Declan McCullagh that the newest version of The Cybersecurity Act of 2009 has been getting some edits by Senator Jay Rockefeller (D-WV). Although the full edits have not been release, the reports so far continue to talk about how this bill, if passed, could result in sweeping changes in how IT professionals do their job.

The provision  would require the licensing of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision, like many provisions in this bill, are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control. Some have wondered if this is a way to enforce a cyber state of emergency – order licensed professionals to turn over controls to the Feds when an emergency is declared.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In Data Security Podcast Episode 48, we talked with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Earlier this year, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC”). He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it? As we reported on the Podcast a few weeks ago, Melissa E. Hathaway, the White House’s Senior Cybersecurity Official also resigned.

Update: This Week’s Data Security Podcast

Posted in Uncategorized on July 20, 2009 by datasecurityblog

Note to listeners: Although we typically post on Sunday night, this week’s program is again sceduled to be posted on Tuesday.

We are working on the following stories for you:  EXCLUSIVE: New tool to fight drive-by downloads.  A take on the corporate Twitter attack you have not heard elsewhere.

These stories, and more, coming up on Episode 62 of The Data Security Podcast; 30 minutes every week on data security, privacy, and the law with Ira Victor and Samantha Stone.

Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds?

Posted in Uncategorized with tags , , , on April 11, 2009 by datasecurityblog

The Cybersecurity Act of 2009 was just introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). This bill, if passed, could result in sweeping changes in how IT professionals do their job.

There is a provision within this bill that would require the licensure of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In the very next episode of the Data Security Podcast (episode 48), we are scheduled to air an interview with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Last month, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC)”. He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it?

We will keep following this bill, and this story, on the Data Security Podcast. You can also follow updates that EFF is posting on their blog. Read the Cybersecurity Act of 2009, and a summary of the bill.

Data Security Podcast Episode 34 – Jan 04 2009

Posted in darkweb, eMail Security, Podcast, Uncategorized with tags , , , , , , , , , on January 4, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Is Google logging the keystrokes on your computer? New attack on fingerprint readers .  Plus, this week’s data security news.

–> Stream, subscribe or download Episode 34 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

In the Data Security News This Week:

From a Seattle Times article:  After 6 months, drivers ignoring cellphone ban

Are drivers are ignoring cell phone bans?

Cell Phone Ban, by Theo Moudakis

From TimesOnline:  The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

DATA SECURITY PODCAST KUDOS: We have been very hard on government agencies, because many of them are bad a protecting data. Here is an exception to the rule;  the Chief Information Security Officer for The State of Michigan, Dan Lohrman.

Tales from The Dark Web:  Woman buys fingerprint spoofing tape  from counterfit ID broker

Conversation: Ira talks with Robert Gelb of the AngryHacker.com Blog about desktop keylogging concerns with Google Desktop Search, and possible data hijacking concerns when using Google Docs.

Follow

Get every new post delivered to your Inbox.

Join 1,259 other followers