Archive for Google

August 9 2012, Episode 268, Show Notes

Posted in Breach, Conference Coverage, Exclusive, Show Notes, Vulnerabilities with tags , , , , , , on August 9, 2012 by datasecurityblog

Episode 268 of The CyberJungle is about 49 minutes long.  You can hear it by clicking on the flash player below. The interview with Kevin Mitnick begins at about 6:30min.  You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 268 via the flash player:

Interview

Kevin Mitnick is an American computer security consultant, author, convicted criminal, and old school hacker.

Tales From The Dark Web

Still on a break. Word is that Tales From The Dark Web drank a bit much at DefCon parties, and has one heck of a hangover.

Our Take on This Weeks News

Cybercriminals destroy a reporters digital life

Advertisements

May 16, 2011 – Episode 213

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Report Security Flaws, Show Notes, The CyberJungle with tags , , , , , on May 15, 2011 by datasecurityblog

Episode 212 of  The CyberJungle is about 38 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The first interview start at about the 9min mark lasts about 11min. The second interview starts at about the 25min mark, and it’s about 12 minutes long.

To listen to Episode 212 via the flash player:

Interviews

Scott Cleland, author of  Search and Destroy, Why You Can’t Trust Google Inc.  And for the other links mentioned in the interview, look on the right column here.

Alyn Hockey, Director of Product Management at security firm Clearswift. Here is their blog.

Our Take on The Week’s News

PCI Compliance Risks for Small Merchants and where they are failing: Excellent summary, with actionable information, from Brian Pennington’s blog about IT security and compliance.

Additional Information Mentioned On The Show

TechEd Atlanta 2011:  Large Microsoft technical conference

CEIC Forensics Conference: Digital Investigations Show, Orlando, Florida

AccessData 2011 Las VegasDigital Forensics Conference

September 19, 2010 – Episode 173

Posted in Breach, Court Cases, criminal forensics, darkweb with tags , , , , on September 18, 2010 by datasecurityblog

Episode 173:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 173 via the flash player:

Interview

Chris Hadnagy from Social-Engineer.org, which organized a social engineering contest at this year’s DefCon conference.  The contestants assumed made-up identities, and placed phone calls to 15 major American companies. Objective: cajole as much information as possible about company operations out of the employee on the other end of the phone. (The info would be of value to bad guys trying to cook up an attack.) Social-Engineer released its report this week on the results of the exercise. Our interview with Chris starts about 23 minutes into episode 173.  The interview is 7 minutes long.

Tales from the Dark Web

If you enjoy the occasional online porn adventure, heed this:  a trojan that monitors what you’re watching, then blackmails you.  “Pay us or we’ll tell the world what you’re watching.”

Ira’s recommendation: Change your computer to dual-boot with Linux as the other operating system. I like LinuxMint, VectorLinux, and (fav) PeppermintIce. These systems are best for web surfing, email, and word processing.

Our Take on This Week’s News

Texting money to politicians: Ready to text your political campaign donations? Politico reports on the legal issues surrounding campaign finance compliance. But says nothing about the security issues related to sending money via SMS.

Has Google’s HR department ever heard of a psychological profile? Google Engineer Repeatedly Accessed Customer data, Spied on Communications

Is the guy  in the next booth packing heat? Before you leave for dinner, check this website, launched last week in response to a new Tennessee law that allows permit holders to carry their firearms into bars and restaurants. The site indicates two categories of dining establishments –- those who allow guns and those who don’t.

Facebook alternative apparently has some security holes: What if you could have the convenience of Facebook, but strong privacy and security? That was the idea behind Diaspora. Some college students from NYU came up with the idea,  and posted the project on a web site where people can donate money to support new start-up business ideas. The students thought they needed $10k to build the code. They were written up in a New York Times story, and they raised nearly a quarter million dollars. Well, the very, very first version of the code is out, and the privacy and security experts are weighing in with harsh criticism.

SF law enforcement formula — treat the citizens like criminals: San Francisco mayor has ordered the cops to beef up security at nightclubs in the city, to prevent violence like the recent spate of shootings that included the killing of a German tourist near a comedy club. Cops want more cameras, metal detectors, police patrols paid by club owners, and ID scanners to capture the drivers license info from customers… which will be stored for 15 days.

New tool from Google:  Alerts to let you know if your web site is hijacked. Read more in a blog posting by Kelvin Newman at Site Visibility.

The Ninth Circuit lets the air out of its own ruling: An earlier ruling issued guidelines  for law enforcement to follow during searches of computers by law enforcements. The feds said the guidelines were “complicating” prosecutions, so the court overturned itself… sort of.  Read this. It’s not trivial.

The cost of free entertainment: Internet services and sites that offer free ring tones, movies, and other entertainment content, have a higher probability of delivering malware to your computer, according to a new report by Mack-ah-fee.

CyberJungle FAQ: Ira Mentioned HauteSecure, but their tool is now throwing errors. He will research alternatives and report back in a future episode of The CyberJungle.

July 18, 2010- Episode 155

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, Legislation, The CyberJungle, Vulnerabilities with tags , , , , , , on July 17, 2010 by datasecurityblog

You can hear episode 155 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 155 is one hour and 14 minutes long.

Interviews

Jeff Bryner from pOwnlabs offers a preview of his DefCon presentation to be given in Las Vegas at the end of the month.  “Google Toolbar – The NARC Within” — how the tool bar spies on you. Jeff”s  interview is about 9 minutes long, and it begins 22 minutes into the episode.

Penetration Tester David Bryan, speaking for himself, (not his company,) will also present at DefCon —  “Cloud Computing as a Weapon of Mass Destruction.” His interview is just over 9 minutes long and begins at about 54 minutes into the episode.

Our Take on This Week’s News

The state of Utah is investigating the origins of a 29-page list of personally identifying information belonging to more than a thousand people the leakers say are illegal immigrants receiving benefits from the taxpayers.  This topic stirred up the immigration issue on the talk shows, but we’re interested in these questions:  What was the data access policy — who had access to this data and for what purpose? And should there be a set of guidelines for ethical whistleblowing (if that’s what the leakers were trying to do) where electronically stored information is involved?

The Bureau of Motor Vehicles in the state of Ohio is selling personal information about its licensed drivers.  For some reason, the primary beef is that the state isn’t making enough money selling the identities of its citizens.

NSA whistleblower facing 35 years in prison

Bank Account Takeover Attack Now Mimicking Credit Card SecureCode Systems

New  zero day Attack using USB drives. There is a Microsoft advisory for dealing with it.

Bluetooth is making it easier for cybercriminals to steal debit card numbers at the gas pump.

Google get patent on technology that monitors on your mouse movements as it relates to search results. And Google is becoming quite an established presence on Capitol Hill.

Photos taken with certain camera-enabled devices can reveal you location with geotags attached to the metadata.  Mayhemic Labs has scanned a couple of million photo links on Twitter, and was able to pinpoint location of the user in about three percent of them.  Then they created icanstlku.com to prove it.

Chinese Cyber Army presentation pulled at BlackHat under pressure from Taiwan.

May 23, 2010 – Episode 139

Posted in Court Cases, criminal forensics, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , , on May 22, 2010 by datasecurityblog

Interview Segment:

Josh Levy, a writer, internet strategist, and the organizer of a project called “pledge to leave facebook.” The interview is 9 minutes long, and it starts about 56 minutes into the show. Episode 139 is 1 hour and 12 minutes long. You can hear it by clicking on the flash player below, or click on the listening options page for other ways to listen.

To listen to Episode 139 via the flash player:

Our take on this week’s news:

Co-host Ira Victor is out of town.  Lee Rowland from the ACLU of Nevada sits in as guest co-host for a first-hour privacy round-up.  Recent issues include:

The Houston Police Department recently held a secret (no media allowed) event where the invited guests contemplated the use of drone aircraft for domestic law enforcement.  Nonetheless,  one news outlet got wind of it, and stationed its television cameras on the property next door. They caught the launch of the drone on camera.  Cops say they aren’t sure how they’ll use the technology, but aren’t ruling out anything. Watch the whole report.  It’s about four minutes long.

Incoming U.C. Berkeley freshmen are being encouraged to offer a  DNA sample.  And why were RFID chips implanted in Alzheimers patients without proper oversight?

TSA continues to roll out the full body scanning machines to airports across the nation.  Passengers don’t seem to be aware that they can opt for a pat-down instead of a virtual strip search.

Tough week for Facebook.  The Wall Street Journal reports the company gave personal info to advertisers. EFF offers insight.

On the heels of a CBS news investigative report about the data left on copy machine hard drives, the FTC is applying pressure to the makers of the machines to educate customers about scrubbing the hard drives.  (Xerox is leading the pack, according to one account.)

The first-ever jail sentence for a HIPAA violation has been imposed. We wonder why this guy was informed he was about to be fired, and then allowed to hang around and access patient records repeatedly.

Todd Davis of LifeLock told the world his social security number as an advertising gimmick, trying to prove a point, of course.  His identity has been successfully stolen 13 times since being “covered” by LifeLock.

Not cool enough for a mac?  Why the Apple Store refused to sell an iPad to a disabled woman. (She wanted to pay cash. Apple’s iPad policy was credit or debit card only.) And why Apple relented, and delivered the device to her home a few days later. (San Francisco television consumer reporter Michael Finney and his news feature “7 on Your Side” shamed them into it.)

April 24, 2010 – Episode 131

Posted in Breach, Business Continuity, Court Cases, criminal forensics, ediscovery, eMail Security, Exclusive, Legislation, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , on April 24, 2010 by datasecurityblog

Interview: Evan Ratliff joins us to discuss his attempt to vanish for a month, with Wired Magazine challenging readers to find him, and a $5,000 reward for anyone who snapped his photo and said the word “fluke.”  An online posse developed, Evan ducked discovery for 25 days, and was caught in New Orleans, a few days shy of his goal.  The interview is about 14 minutes long, and it starts about 57 minutes into Episode 131. You may stream the program here:

You may download Episode 131 here. Or visit the Listening Options page for more ways to hear the program.

Discussion: The texting case that made it to the U.S. Supreme Court.  We discuss with ACLU Attorney Lee Rowland Fourth Amendment protections as they apply (or don’t apply — that’s what the court is considering)  to text messages, and under what circumstances.  Our discussion with Lee is about 20 minutes long, and starts about 22  minutes into Episode 131

Our Take on This Week’s News

Amazon is fighting off a demand from the North Carolina Department of Revenue (the state tax collectors). The state wants a record of all Amazon purchases made by its residents, and it wants names, so it can collect the sales tax.  Amazon says “privacy violation.”  And remember Amazon’s original business was books, which have a special place in the law when it comes to protecting their owners from government intrusion.

Here’s the story as reported by c|net, and here’s Amazon’s complaint.

Cyberattack on Google Said to Hit Password System.  More has been revealed about the extent of the Aurora attack on Google.  This story was apparently leaked to the New York Times by someone familiar with the investigation.  It suggests huge implications for the security of all Google applications.

Facebook is becoming quite brazen about exposing user profile information. This opinion piece at EFF explains the latest piece of information to be taken out of the user’s control.

Related:  The Facebook “like it” button, coming soon to websites everywhere.

About the most straightforward information-sharing scheme we’ve seen yet:  Blippy mines your email and credit card statements (with  your permission) and posts every purchase you make.  Blippy is the VC flavor of the month, having just received $11 million.  Too bad some credit card numbers belonging to Blippy users turned up when some curious surfers hit Google with search strings containing the words “Blippy.com” and “from card”.  Will Blippy survive?  Probably, even in the face of a less-than-apologetic stance from the company (Co-founded by the infamous Pud, of the infamous FuckedCompany.com site from the “dot-bomb” period.)  Why anyone would want to be part of Blippy, especially now,  is a separate discussion.

Highly-paid SEC lawyers and accountants spent their days surfing porn sites while Bernie Madoff was making off with a whole lotta other people’s money. We ask why, in an entity whose mission revolves around audits and controls, were there no audit trails and controls to call attention to an employee with 16,000 attempts to access porn?  Shouldn’t this have been nipped in the bud before it spiraled out of control?

You probably read about some of the chaos that ensued from McAfee’s latest update.  But this story by a SANS incident handler takes the prize.

Malware mules:  We all know about drug mules and money mules.  But the black market for email credentials is creating some new opportunities.