Archive for PGP

May 29 2018, Episode 401, Show Notes

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, ediscovery, eMail Security, Exclusive, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , on May 29, 2018 by datasecurityblog

Episode 401 of The CyberJungle is about 32 minutes long.  The interview with Steve Whalen of Sumuri starts at 12:45, and the twin interviews with Jerry Kaner of Ciphertex and Jeff Hedlesky of OpenText, starts at 19:27. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 400 via the flash player:

Newsmaker Interviews

Sumuri CEO Steve Whalen on new MAC forensic tools

High speed forensic imaging and encryption with Jerry Kaner, CEO of Ciphertex and Jeff Hedlesky, Evangelist with OpenText . The link for training.

Our Take on This Week’s News

Stealthy, Destructive Malware Infects Half a Million Router

Big bimmer bummer: Bavaria’s BMW buggies battered by bad bugs
How One Recalled SUV Destroyed $45 Million In Cars, Burned A Massive Ship, And Sparked A Legal Battle Between Ford And BMW
How to turn off bold/italics/underline in HTML mail displayed as plaintext?
Efail or OpenPGP is safer than S/MIME

Tales from The Dark Web

On break due to Enfuse 2018 coverage


10th Anniversary content coming in a future episode

PLEASE SUPPORT OUR SPONSOR – PFIC: Paraben Forensic Innovations 2018

This 2-day event brings together industry experts on a variety of topics in both lectures and labs. The best part of PFIC is as an attendee you get to attend 100% of the content with the unique rotating format of A and B days. One day you attend all the lectures the next you attend all the labs. Plus see Ira Victor, of the CyberJungle, speak. Register early seats are limited.


PFIC 2017,



Phil Zimmerman, Dan Kaminsky, and Brenno de Winter on the DefCon “Subway Hack” Talk

Posted in Breach with tags , , , , , , on August 10, 2008 by datasecurityblog

The hacker conference Defcon is proving to be the source of breaking news this year. A lot of the technology news coverage to come out of the show concerns the three MIT students that were to present a talk on the vulnerabilities in the transit pay cards used in the Boston area by the Massachusetts Bay Transportation Authority. The same system is used in and some other cities in the US.

The Data Security Podcast spoke with some noted security experts for their take on the Subway Card Hacking controversy. But first, a quick review of the facts as they were presented here.

The Massachusetts Bay Transportation Authority went to federal court on Friday, Aug 8th to get an injunction against the students to prevent them from giving their talk at DefCon. Cnet’s is doing a great job on that coverage, including coverage of yesterday’s press conference at 2PM PT with the students their lawyer from the Electronic Frontier Foundation.

One of the deeper issues of contention is when the students actually disclosed the vulnerabilities to the transit authority in Massachusetts. Giving disclosure in private to the transit authority would allow time to make changes to their systems in response to the vulnerabilities.

During yesterday’s press conference, the students, through their spokesperson, EFF attorney Kurt Opsahl, would not answer when they were asked they disclosed the results of their work to the Massachusetts Bay Transportation Authority officials.

Late in the day Saturday, The Data Security Podcast spoke with two well respected information security experts, Phil Zimmerman, and Dan Kaminsky.

Phil Zimmerman was the creator of Pretty Good Privacy, an encryption tool that was the target of a long legal battle with the federal government that began seventeen years ago (and has since been resolved).

Phil told the Data Security Podcast that if the unconfirmed reports are true that the MIT students only gave the Massachusetts Bay Transportation Authority less than ten days notice of their talk at DefCon, then the students acting in an irresponsible manner by not giving the MBTA time to put into place changes or mitigating controls in response to the flaw they students allege. Phil said that many times information security researchers find a flaw, and in their excitement they rush out to show the world the flaw, which may not always be wise.

Dan Kaminsky is famous now for what is recognized by many security experts as the ethical way to disclose a security vulnerability. Dan went to great lengths to keep the nature of a major flaw he out of the public eye until vendors could build patches to mitigate the flaw.

Dan’s comments focused on a more practical part of the controversy. Dan said, that there are “No signs that suppression of [security] talks accomplishes the [intended] goal. Suppression of speech highlights the issue.” Dan feels that all the attention this controversy is bringing will encourage others to uncover the flaws. Interestingly, the buzz at the conference is that a lot of the information in the MIT student’s talk was already uncovered by other researchers, and that information is on the internet. It appears that the MIT students leveraged flaws that were already

Dan also commented, that for the information security industry in general, when a flaw is uncovered by researchers, “You can expect co-operation from software vendors more than ever today.”

Giving credibility to Dan’s assertions is Brenno de Winter. Brenno is a Dutch journalist who has been covering the flaws in systems in Holland and the UK. Brenno says those systems are very similar to the ones in Massachusetts, and in other parts of the U.S. Brenno gave a talk today at
DefCon on Dutch researchers who uncovered the flaws in the systems in use in Holland and the UK.

Brenno claimed that these RFID systems are not only used by transit agencies in Holland and the UK, but also for door access control by government agencies, data centers, and other secure areas.

Brenno showed a YouTube video and demonstrated how simple it is to defeat these systems, and how the information about these attacks are available by doing simple Google searches. Brenno also stated that Chinese electronics makers have had the equipment and access cards for sale on the “grey market” that would permit the creation of cloned cards.

Brenno speculated that all the attention on this topic will probably result in open source and other tools being released by security researchers interested in the topic. “It would be ignorant to think otherwise,” according to Brenno. One researcher that Brenno spoke with said that a modified iPhone could be used to get information from these access cards. By merely walking in an area where people have these cards in their wallets or purses, the access information on the card could be cloned.

If Brenno claims are true, it appears that Pandora’s box is already open on at least some of the flaws the MIT students were going to talk about. Here is the takeaway: When a security flaw is discovered by security research, the responsible action is to privately inform the company that
makes the product, and give them a reasonable amount of time to address the flaw.
When companies are informed about a flaw, the prudent action is to understand the flaw and make the changes needed. Trying to keep the information away from the public is probably futile once a flaw is discovered.

We will cover more on DefCon in this week’s Data Security Podcast.