Archive for web application security

July 25, 2011 – Episode 223

Posted in Court Cases, darkweb, Report Security Flaws, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , on July 25, 2011 by datasecurityblog

Episode 223 of  The CyberJungle is about 31 minutes long.  You may hear it by clicking on the flash player below. The interview begins at about 15min. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show, including a direct link to our audio feeds.

To listen to Episode 223 via the flash player:

Interviews

Imperva CTO, Amichai Shulman on the web app attack preso you won’t see at BlackHat Las Vegas.  As a part of their ongoing Hacker Intelligence Initiative, Imperva has compiled a Web Application Attack Report (WAAR) that gives a new insight into attacks against the top 30 web applications based on more than 10 million individual attacks over the last 6 months.  WAAR outlines the frequency, type and geography of origin of each attack.  Surprisingly a little known type of attack has become very common. Blog.Imperva.com was the link mentioned in the segment

Our Take On This Week’s News

The CyberJungle Radio’s take on this Las Vegas Review Journal news story: Providing Wi-Fi as a perk has a price for businesses

Mac battery cyberflaw exposes explosive risk?

Wrap

No Soup For You! No over the air updates for jailbroken iOS5 powered devices, according to the ZDNet posting


Conference Coverage

The CyberJungle goes to BlackHat Las Vegas and DefCon19  week. Get the reports in Conference Notes starting the middle of next week.

Advertisements

March 7, 2011 – Episode 203

Posted in Breach, Business Continuity, Court Cases, criminal forensics, ediscovery, Exclusive News, Legislation, Podcast, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , , , , , , , , , on March 7, 2011 by datasecurityblog

Episode 203 of  The CyberJungle is about 53 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 25:30 mark.

To listen to Episode 203 via the flash player:

Interviews

Charlie Miller, 3x Pwn2Own “hacking” contest winner stays home; response by Dragos, Founder of CanSecWest . Follow Charlie on Twitter.

Tales From The Dark Web

Exactly what is the “boy-in-the-browser attack?”

Our Take on The Week’s News

Lawsuit accuses Amazon of capturing and sharing customer information without permission by tricking Microsoft Internet Explorer

Google Android in app malware flap, iPad2 security, and Blackberry Playbook running Android apps + better security? Interview on Playbook security Ira Victor mentioned in this segment. You may download the segment, or listen to the conversation here:

Via the flash player:

More mobile security news, Keeping Tabs on Android Smartphone Activity.

Proof once again that disgruntled employees are among the most dangerous cybercriminals… Texas man sentenced after breaching former employer’s network and deleting critical business files.

Wrap

OtterBox Cases for slider Smartphones: Samantha and Ira give a new OtterBox the field test

October 17, 2010 – Episode 181

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Legislation, The CyberJungle, Vulnerabilities with tags , , , , , on October 17, 2010 by datasecurityblog

Episode 181:

This week’s regular episode of  The Cyberjungle  is 1 hour and 13 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 181 via the flash player:

Interview

Jason Miller, patch management expert with Shavlik Technologies, tells us how to deal with the biggest patch release in modern IT history… which took place on Tuesday, October 12.  Jason’s  interview is 8 minutes long, and it begins about 24 minutes into Episode 181.

Tales from the Dark Web

You’ve  heard of  “software as a service”… Now there’s “crimeware as service” —  a convenient way for the bad guys to outsource their criminal acts.

Our Take on This Week’s News

What’s in your medicine cabinet? The Feds and 34 states are putting together a giant prescription drug database so they can review the contents.

What did he know, and when did he know it? At least one IT staffer in the Lower Marion School District waxed fondly about the remote tracking capabilities on the laptops issued to students who later sued the district for spying on them.

Bullying is bad, um-kay? President Obama holds a town hall with MTV viewers, during which he tells them there should be zero tolerance for bullying — cyber or otherwise.

Security tradeoff: caution for coolness – Device Reputation Service Reveals iPhone at Top of Mobile Transaction Fraud Risk.

Your building pass could be more valuable than ever – Some federal employees will see their CACs (common access RFID cards) expanded. They’ll still get the card holder into a building or a computer system. But the cards will be expanded to include to include mass transit fares, debit payment, and ATM functionality… all in one card.

Mixing business and pleasure – Explosive growth of mobile devices leads to security risks as workers use their own devices to store and transmit work data.

Fun finder or stalker tool? The website wheretheladies.at monitors social networking sites to help dudes locate gatherings of women.  But blogger Jason Stamper conducted an experiment that points out the dangers women might face when they publish all the details of their daily lives.

Kudos for baking it in! New version of Opera to have extensions with software code check for security.

September 25, 2010 – Episode 175

Posted in Annoucements, Breach, Conference Coverage, Court Cases, darkweb, Podcast, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , on September 26, 2010 by datasecurityblog

Episode 175:

This week’s regular episode of  The Cyberjungle  is 1 hour and 25 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 175 via the flash player:

Interview

Lance Spitzner from the SANS “Securing the Human” project joins us to discuss the final (and largest) hole in network security. It’s the users, stupid.  Millions of hours and billions of brain cells have been spent securing computers and networks.  The job will never be done until we secure the humans.  Our interview with Lance is about 5 minutes long, and it starts about 25 minutes into the show. Lance’s blog posting with slides from his presentation at SANS Las Vegas.

Tales from the Dark Web

Twitter attack is warning to social network users

We all love to give our opinions.  Apparently, the bad guys know it. The latest dark web scam involves online and email surveys.

Our Take on This Week’s News

Teacher fired for posting a blog that included references to various students. The article in the Austin Statesman is unclear, but the reader comments help us piece together the story. Apparently this teacher, who was last year’s teacher of the year, wrote a blog on which she contemplated how to approach teaching challenges presented by some of her individual students.  Her mistake was probably posting photos.  One comment indicates that she did not identify any of the students by name.  We are inclined to blame the administration for failure to make clear the policies regarding federal student privacy laws (FERPA).

“Respondent May NOT Use Internet in Any Manner to Communicate About Petitioner Ever Again.” An order handed down in a divorce case.  The question on the Volokh Conspiracy is whether the order in constitutional.  (Remember free speech?) You can’t libel someone, and maybe you can be gagged during litigation, but the government can’t permanently keep you from trashing your ex.

Wonder how many jobs this created or saved? Federal stimulus dollars are being used for an RFID program to track preschoolers.    ACLU and EFF open a can of whip-ass.

Lawyers heart Facebook! Best not to post photos of yourself looking healthy and robust on Facbook if you’re in litigation for a personal injury.  A judge has ordered  the private portions of plaintiff’s Facebook are discoverable,  since the public portions suggest she’s having more fun that she claims her physical condition permits.

U.S. Cybercommand proposing an internet “safe zone” for government and such critical industries as utilities and banking.  A super-safe segregated network might raise as many questions as it answers. Read various versions below for a variety of angles.

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092302171.html

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092305431.html

http://www.nytimes.com/2010/09/24/us/24cyber.html?_r=1&ref=technology

http://www.wired.com/dangerroom/2010/09/militarys-cyber-commander-swears-no-role-on-civilian-networks/

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500515

Worm attack on Iranian nuke facility. Is this malware part of a nation-state attack?

Top ten internal threats to network securityThis how the risks stack up according to researchers at Fortinet.

August 15, 2010 – Episodes 162 and 163

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , on August 15, 2010 by datasecurityblog

Episode 163 is the this week’s full episode of The CyberJungle, posted immediately below.  Episode 162 is the su root edition for advanced listeners – material that’s too technical for the radio.  The advanced material consists of an interview with Wayne Huang,  who did early research that led to the discovery of the drive-by download.  Scroll down to the end of this batch of show notes to find it.

Episode 163:

This week’s regular episode of  The Cyberjungle  is 1 hour and 19 minutes long. You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to Episode 163 via the flash player:

Interview

Wayne Huang is an executive at Armorize, working in Taiwan. His early research led to the discovery of what we now call drive-by downloads.  This episode of the Cyberjungle has a 7-minute interview with Wayne, which is a bit more elementary than the 35-minute su root version at the bottom of this set of show notes.  The 7-minute interview starts at about 24 minutes into episode 163.

Free Open Source Project to fight drive-by downloads is at Drivesploit.

Tales from the Dark Web

When your patch reminders pop up on your screen automatically, that’s a convenience.  When they arrive by email, that’s a scam.

Our Take on This Week’s News

Is Google buying microdrones like the ones in this vide0? And if so, what will Goolge do with them? Seems unclear at this point, but the implications kind of freak us out.

This is about as low as it gets: Cybercriminals pose as American military men — even fallen soldiers — creating fake dating profiles to ensnare women romantically and then ask them for money.

Everyone wants an iPad… we wonder if elected officials are willing to contort financial reality and ignore open meeting law requirements in order to play with an iPad on the taxpayers dime.  This USA today report says city councils are buying iPads to save the cost of paper.  But they might be buying a whole lot of trouble that will make the paper budget seem trivial.

City of San Francisco’s former network administrator Terry Childs was sentenced to 4 years for locking the city out of its network.  He’s been cooling his heels in jail for two years during the trial, and now it looks like he’ll serve about another 6 months with credit for time served. The San Francisco Weekly had the best summary of the case, and seems to be the only media outlet that truly grasps the moral of the Terry Childs story.

Attention merchants and other businesses relying on credit card purchases. PCI 2.0 is coming in October, and will probably become effective in January.  Yes, it will require more of you. Here is the current standard. The new standard will require web application logging, and better accountability and tracking of credit card number within the business network.

Apple iPhone Patches have been distributed for devices affected by the jailbreakme flaw.  Problem is, the patches work selectively. They do not apply to all devices.  Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later. Here’s Apple’s report on the flaw.  Jay Freeman (Saurik) has made an unofficial patch for one (CVE-2010-1797) of the two vulnerabilities patched by Apple. It’s available for Jailbroken devices via Cydia,  and will work also on the older devices that have not yet received any updates from Apple, plus new devices if you don’t want to use Apple’s update.

Adobe Flash problems aren’t solved after upgrades.

Cybercriminals are already gearing up for the holidays, creating booby traps for likely Halloween and Thanksgiving search terms.

Did your shrink leave town for a convention this week?  If (s)he is attending the San Diego gathering of the American Psychological Association, you might want to text him or her, and warn about the social networking app the convention organizers have made available.  Seems the attendee code on the ID badges double as the log-in codes for the shrink network.  Oops… one wrong digit and you can view someone else’s conference registration data.

CyberJungle FAQ

1. From Steve: Our small business is running rather old PCs. Many of them are over 7 years old, and they take for ever to boot up. We are on a tight budget, we are seeing refurbished PCs with XP and new PCs with Windows7, is it worth the extra money to upgrade to Windows7? Will we get improved security?

A: YES, and your company can purchase refurbished PCs running Windows7. Get the 64 bit version, and upgrade to Office2010, for improved security and productivity.

2. From Malik: We are having a lot problems with our business email server. We are a company with less than 20 employees, but we are spending a lot of money with our IT guy on the server, where the email, and our filesve. He says we should buy a new server. The one we have is about 5 years old. Should we buy a new server, or, should we look at switching to something like gmail?

A: Get a new, smaller file server that runs Windows2008, or (even better) Linux. Buy business-grade email services from a quality firm that offers hosted Microsoft Exchange, or Open Source Zimbra.

3. Andrew: Our employees want to use their own iPads at work. They want to access work files, do email, take notes, and do other tasks. If they want to buy the iPads on their own, what are the risks to our business.

A: Plenty. Ediscovery, loss of business data, are just two. Wait a few months as business-grade alternatives to iPads are released. They are just about to be launched into the market for just your situation.

Episode 162 – su root edition:

This is our unedited edition, featuring a longer and more technical conversation with Wayne Huang of Armorize, discussing his early research that led to the discovery of drive-by downloads  The audio file is 35 minutes long.

You can hear it by clicking on the flash player below, or you can go to the listening options page and browse for other ways to hear the show.

To listen to su root edition (episode 162)  via the flash player:

July 31, 2010 – Episode 159

Posted in Breach, Court Cases, criminal forensics, darkweb, ediscovery, Show Notes, The CyberJungle with tags , , , , , , , , on August 2, 2010 by datasecurityblog

You can hear episode 159 by clicking on the Flash player below, or if your device does not support Flash, you can visit our  listening options page for other ways to receive the show. Episode 159 is one hour and 9 minutes long.

Interviews

Interview #1 – Jeremiah Grossman, CEO of White Hat Security,  discovered an odd security flaw in the Apple Safari Browser. Alas, he tried to notify Apple, only to be rebuffed. He posted the story on his blog, and he decided to go public at Black Hat, and just about the time we finished this interview with him, Apple acknowledged the problem.  Fix pending.  Hear an overview of Jeremiah’s presentation in Episode 159. It’s 11 minutes long, starting about 12 minutes into the show.

Interview #2 – Mickey Boodaei, CEO of security firm Trusteer, has been hard at work on the banking trojan problem, and they’ve got a problem that may help. We discuss it with him in Episode 159. It’s 10 minutes long, starting at 55:00.

Tales from the dark web

Mariposa Botnet facilitator arrested. (You may remember that Panda Security was on top of Mariposa months ago, as we reported in this interview from the RSA Security Conference2010.)

Our take on this week’s news:

Virulent Microsoft link attack affects just about everyone. The prediction is that this one will be big. UPDATE: MICROSOFT ISSUES EMERGENCY PATCH

A really insulting  psychological profile of iPad users. The only thing they left out is that iPad users pull the whiskers off kittens.

Krebs on security writes about the victims of scareware – they end up buying the stuff, and then they’re embarrassed to go to the police. Good piece

Banks have long since stopped moving paper checks from one location to another, preferring the economy of scanning. What if someone broke into the digital repository where they store all those pictures of checks?… Someone did.