Archive for email

April 17, 2012, Episode 255, Show Notes

Posted in Breach, Court Cases, criminal forensics, eMail Security, Exclusive, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on April 17, 2012 by datasecurityblog

Episode 255 of The CyberJungle is about 32 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 255 via the flash player:

Interview

Exclusive: James Bologna from Thomson Reuters on security process

Tales From The Dark Web

Pardon the audio quality as we upgrade to a new studio; Tales from The Dark Web is on a break.

Our Take on This Weeks News

Email snooping by IT administrators

Apple posts separate Flashback removal tool

Is Google invading privacy with ReCAPTHA RePurposing?

 

Wrap

FBI track Anonymous hacker using his girlfriend’s boobs

Advertisements

June 20, 2010 – Episodes 147 and 146

Posted in Breach, Court Cases, criminal forensics, darkweb, eMail Security, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , , on June 19, 2010 by datasecurityblog

Episode 147 is the this week’s full episode of The CyberJungle.  Episode 146 is the su root edition for advanced listeners – too technical for the radio.

Episode 147-

This week’s show is 1 hour and 14 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 147 via the flash player:

Interviews:

David Perry, Global Director of Education for TrendMicro. David just flew back from the international Anti-Phishing Working Group Conference in Sao Palo Brazil. David became really animated when I asked him about details regarding a huge cybercrime armies in China.  David recommends the Counter-Measures Blog by TrendMicro. This conversation is about 9 minutes long, and starts about 21 minutes into the show.  For the full 36-minute interview, which was too long and technical to air on the radio, scroll down to Episode 146.

ALSO – Security Software entrepreneur Phil Lieberman President of Lieberman Software, who has been serving as an adviser to members of the U.S, Senate on the cybersecurity bill…. sweeping new legislation that could impact every department in the Federal Government, and data security at the Ssate level.  That interview begins about 58 minutes into the show.

Tales from the Dark Web:

A 21-year-old cybercriminal parlayed his talent into  a Porsche, expensive watches and £30,000 in gold bullion. He’s been arrested.

Our Take on This Week’s News:

The rush to deploy smart meters:  Federal stimulus money can get you high, and it makes decision-makers really stupid.  The smart meters are among several advanced systems being deployed before they’re really ready, in terms of their vulnerability to cybercrime. BTW — Kudos to cnet’s Elinor Mills who wrote the article above. Well researched and thorough.

Buy a Chevy Volt – Get a Free Government Surveillance Device! Yes, if you’re one of the first to purchase, you’ll receive a super-fast charger for your garage… and it reports back to big brother on the details of your daily driving.

And if you like reporting to big brother about your driving habits, maybe you should move to the UK, where the cops have stored 7.6 billion images of cars moving through the streets.  HMP Britain is an interesting blog that’s posted the response to its FOIA request about the use of the data taken from CCTV —  a surveillance method ubiquitous in Britain.  HMP stands for “Her Majesty’s Prison” and it’s a prefix in the name of the slammer in every jurisdiction.  HMP Nottingham, etc…. The name of the website suggests the entire nation is a prison, according to its proprietor.

Sorry, wrong number:  Another week, AT&T and Apple team up for another giant blunder. Customers who logged onto their AT&T accounts to order the new iPhone 4 were greeted with someone else’s account information. Has anyone at these companies heard of web application security?

Goatse Security published a serious security flaw in Safari browser that impacts on the iPhone/iPad back in March. Apple has still not patched that flaw, and the code is available on the internet for any attacker to see.

The Disgruntled Employee Chronicles, Chapter 359:  How many times does this story have to play out before managers begin to realize that when you fire someone,  you have to terminate their user name and password.  This former employee was creating havoc inside the hospital’s network after he no longer worked there.

A serious flaw in Windows XP – No patch available. Bad guys taking advantage of the situation. Time to upgrade to Win 7 already? (Come on, Tommy Turtle… do it.)  Go here for information about some other measures you can take.

At last! A data breach story with a happy ending!  Department of the Interior lost a CD containing personal data for 7500 federal employees… but wait a minute…. The data was encrypted and password protected.  And the department reviewed its procedures to make sure it doesn’t happen again.  And they disclosed the loss of the disk within 10 days.  And then pigs started flying out the windows of the Department of the Interior building.  (Just kidding.  We salute the Department of the Interior. If only other federal agencies would implement and follow best practices.)

The good folks at EFF offer yet another great privacy and security idea!   HTTPS everywhere. It’s a Firefox plug-in that encrypts popular search engine and social media sites.  Also allows you to customize sites you visit frequently. Check it out.

More about the Google StreetView debacle.  The roaming hacker cars grabbled user names and passwords, including for email accounts.

Everything Old is New Again. The USB typewriter, for instance.  Cute, but can you imagine hauling it onto an airplane?

Episode 146- su root Edition:

This is our unedited interview wth David Perry, Global Director of Education for TrendMicro. We had a long conversation about iPhone security, web application security, and malware attacks. ALSO — David discusses an army of 300,000 Chinese cybercriminals.  The interview is 36 minutes long. Click on the flash player below, or go to our listening options page and browse for other was to hear the show.

To listen to Episode 146 via the flash player:

Data Security Podcast Episode 73, Oct 11 2009

Posted in Breach, Business Continuity, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on October 11, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Major patching in store this week, due in part to flaws revealed this summer in Las Vegas?

* A fresh look at a Zeus banking attack counter-measure

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 73 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 73 of the Data Security Podcast

* Conversation:  Ira takes a new look at a counter-measure for the latest wave of Zeus banking attacks in his conversation with Steven Dispensa, CTO of PhoneFactor.

* Tales From The Dark Web: It’s like clockwork…two months after security events BlackHat and Defcon every summer in Las Vegas, we see a surge in patches for attacks that were highlighted at these events.  Microsoft Security Bulletin Advance Notification for October 13th 2009. Security Advisory for Adobe Reader and Acrobat for October 13th 2009, including the CVE number.

* From Our Take on The News:  Danger Will Robinson! Danger!  Update on Danger’s Sidekick Massive Data Loss.  Read the FAQ for tips on trying to salvage your data.

* From Our Take on The News:  Computer Network Denial Of Service Denial

* From Our Take on The News: Twitter shuts down legit security researcher, Mikko Hypponen.  Reports from his blog here, and an update here.

Twitter Shuts Legit Down Security Researchers Account

Twitter Shuts Legit Down Security Researcher's Account

Data Security Podcast Episode 71, Sep 28 2009

Posted in Court Cases, criminal forensics, darkweb, ediscovery, Legislation, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , on September 27, 2009 by datasecurityblog

30 minutes every week on data security, privacy, and the law…..(plus or minus five)

On this week’s program:

* $4k per day scamming fake Viagra? That’s just the tip of the iceberg.

* Business bank accounts are the targets of attacks, businesses are responding with lawsuits against banks.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 71 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

  • Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .
  • GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.
  • SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing MagazineData Clone Labs is the premier SonicWall Medallion Partner for all your security needs.
  • DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 71 of the Data Security Podcast

* Conversation: Samantha talks with attorney Dan Mitchell, of Bernstein Shur. His business client was the victim of one of the bank account attacks, resulting in a cash loss of over $500,000. His client is suing the bank. Coverage in Computerworld.

* Tales From The Dark Web: Pharma scams earn $4k per day for members of the Dark Wek.  Read that and a LOT more in Dimitry Samosseiko of SophosLabs paper he presented to the Virus Bulletin Conference in Geneva Switzerland. That event wrapped up last Friday.

* From Our Take on The News:  Waves of Twitter attacks erode trustworthiness of Tweets.

How much should you trust Tweets?

How much should you trust Tweets?

* From Our Take on The News:  How much of your business data should you trust to web mail?

* From Our Take on The News:  Cameras keep track of all cars entering Medina Washington.

Data Security Podcast Episode 56 – June 8 2009

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Podcast, Vulnerabilities, web server security with tags , , , , , , , , , , , on June 7, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – Twitter users are the target of a new, malicious web re-direct. How will The President’s new cybersecurity plan impact you? One of the nation’s top cryptographers weights in. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

–> Ira has a conversation with Paul Kocher, President and Chief Scientist of Cryptography Research, Inc. about The Obama Administration’s new cybersecurity plans.

–> Tales From The Dark Web: Finjan‘s CTO Yuval Ben-Itzhak talks with us about a new web re-direction attack targeting users of Twitter.

–> From The News: Is there a constitutional right to informational privacy? The Ninth Circuit Court suggests there is by issuing an injunction in favor of contract employees at NASA who objected to invasive background investigations. But then the full Court declined to hear the case. So the question won’t be settled any time soon, but it raises some interesting issues.

Judge Kozinsky’s dissent (we should hear the case)

Judge Wardlaw’s concurrence (we shouldn’t hear the case)

A dissection of the privacy issues by legal blogger Eugene Volokh at the Volokh Conspiracy. Don’t scroll — the link will take you to the top of the blog, and then jump to the correct post.

–> The Wrap:  Autorun Worm Invades ZIP

Autorun Worm Invaded Zip Files

Autorun Worm Invaded Zip Files

StrongWebMail Bounty Attack – Caveat Emptor

Posted in Breach, eMail Security, Exclusive, web server security with tags , , , , , on June 7, 2009 by datasecurityblog

StrongWebMail has received publicity for the $10,000 bounty that the company’s chief executive offered if someone could break into his web mail account.The executive, Darren Berkovitz, posted his StrongWebMail username and password on the company web site.

IDG is reporting that three information security professionals are now claiming that they were able to pwn (“own”) Mr. Berkovitz’s StrongWebMail account. Although their exact method has not been revealed, IDG is reporting that the StrongWebMail site was vulnerable to cross site scripting attacks.

The Data Security Podcast had a conversation with Darren Berkovitz on Friday June 5th.

He was not yet ready to talk about the StrongWebMail bounty attack. But, he agreed to do so in the coming week. That conversation will be posted on June 15th, in Episode 57 of the Data Security Podcast.

He did talk with us on Friday about his service in general, and about the challenges of market adoption of multi-factor authentication.

StrongWebMail’s parent company, Telesign is a provider a phone focused multi-factor authenticaion services. The service allows owners of web sites to validate users with a phone call to end users. That call can contains a validation code, for use on the web site, in addition to a username/password pair. StrongWebMail is, in some ways, a proof of concept that is designed by Telesign to demonstrate the acceptance of multi-factor authentication for the world’s most popular web application: web mail.

According to Mr. Berkovitz, StrongWebMail uses an off-the-shelf web mail application once users get pased validation.

And, that may be the chink in the armour that security researchers used. Rather than attacking the multi-factor element, IDG reports that the researchers created their own StrongWebMail accounts. They then used those accounts to launch attacks that allowed them “hop over” from one user account to another, including, allegedly, hopping over to Mr. Burkovitz’s account.

If they waited for Mr. Berkovitz to log in, and then hopped over to his account, that could be a method to gain access to his account. If this indeed  isthe nature of the bounty attack, then it would re-emphasis the important of securing the code of web appliations.  The best multi-factor systems cannot compensate for weaknesses in a web application.

So, if we are on the right track, then this is not a story about the weaknesses of a two factor authenticaion system. This may simply be another example of the importance of security in web-based, or so-called cloud computing, applications. That even includes web sites that assure customers that “our site is secure,” or even when the site has names, icons, or other technolgies associated with information security in general.

Malware hiding as a UPS tracking email could hit enterprise networks

Posted in eMail Security with tags , , on July 20, 2008 by datasecurityblog

According to Consumer Reports, and anti-spam company Marshal, there is a new wave of email malware being sent by members of the Darkweb. The Marshal posting shows a screen shot of the email and the attachment icons. This story will also be covered in Episode 10 of the Data Security Podcast, scheduled to post no later than Tuesday on this site.

The email looks like a UPS message about package tracing. A rather common email that people receive every business day.

Except, this message says the package has been delayed, and instructs the victim to open the attached “invoice” and go to the local UPS depot to arrange to receive the package. The attachment is an executable that hides itself with a common Microsoft Word icon, further fooling users.

Once the attachment is opened, the hidden malware is designed to connect the victim’s computer to a Russian server. That server installs a rootkit in the victim’s computer, which can give the attacker total control of the victim’s system, and access to information on that computer, and potentially other computers connected to the compromised system through network shares.

The Consumer report reports that UPS says they “rarely” sends attachments in it’s communications with their customers.

The question remains: Why does UPS need to send attachments at all when sending delivery information? If business users would stick to text-only, non-HTML messages, then users would know to not open attachments, even when they look legit. Plus, the ever growing mobile email users would always be able to read important messages on the go. If you administer an email system, it may be prudent to block .exe files, if you are not doing so already.