InfoSec Daily Podcast Episode 839 [ 55:06 | 25.25 MB ] Play Now | Play in Popup | Download (585)

InfoSec Daily Podcast Episode 839 for February 5, 2013.  Tonight's podcast is hosted by Rick Hayes with Dave Kennedy, Boris Sverdlik, Beau Woods, Adrian Crenshaw, Bill Gardner, Karthik Rangarajan, Geordy Rostad, Justin Brown, Keith Pachulski, Varun Sharma, Adrian Sanabria, and Themson Mester.  

We have reached the end of the road.  The time has come for us to say goodbye.  We'd like to thank all of our listeners and wish each of you nothing but the very best. 

InfoSec Daily Podcast Episode 838 [ 34:22 | 15.73 MB ] Play Now | Play in Popup | Download (415)

InfoSec Daily Podcast Episode 838 for February 4, 2013.  Tonight's podcast is hosted by Justin Brown, Beau Woods, and aricon.

Announcements

ShmooCon

When: February 15-17, 2013

Where: Washington DC

http://shmoocon.org

Spridel is going, Them is going, IronGeek is going, Bill is going.

CarolinaCon

When: March 15-17, 2013

Where: Raleigh, NC

http://carolinacon.org/

CactusCon
When: March 22, 2013
Where: Tempe, AZ
Cost: Free
http://www.cactuscon.com/
Call for Sponsors is Open
CFP closes January 31
 

BSidesROC

When: April 6, 2013

Where: Cathedral Hall inside the Rochester Auditorium Center

http://www.bsidesroc.com/speakers/

BSidesPuertoRico

When: April 5-7, 2013

Where: San Juan, Puerto Rico

http://bsidespr.org/

CFP is open

Cost: TBD.

BSides Orlando

When: April 13-14, 2013

Where: Orlando, FL

http://bsidesorlando.com/

CFP is open http://www.securitybsides.com/w/page/61141960/BSidesOrlandoCFP

AIDE 2013

When: April 15-19, 2013

Where: Huntington, WV

http://appyide.org

CFP is open and plain text emails Bill (dot) Gardner (at) marshall (dot) edu

Charlotte ISSA Summit
When: April 17 Training (Hands on Course)
When: April 18 Summit
https://www.charlotteissa.org/2013%20Annual%20Summit
CFP is open
Cost: $20 for members, $50 for partners, and $80 for Non-members
 

BSidesLondon

@bsideslondon

When: April 24, 2013

Where: London. England

http://www.securitybsides.com/w/page/59132020/BSidesLondon-2013

https://docs.google.com/spreadsheet/viewform?formkey=dGYyQzA0N1hlY2J0cDEwS2RYcUk5WFE6MQ#gid=0

Thotcon
When: April 25-27, 2013
Where: Chicago, IL
http://www.thotcon.org/schedule.html

BSidesMemphis

When: May 18, 2013

Where: Southwest Tennessee Community College

http://www.securitybsides.com/w/page/59761145/BsidesMemphis2013

BsidesLV 2013 “Science Fair”

http://blog.uncommonsensesecurity.com/2012/08/the-bsides-las-vegas-2013-innovation.html

DerbyCon 3

When: September 25-29, 2013

Where: Louisville, KY

http://derbycon.com

Call for Training is OPEN!

Tickets and CFP opens April 1, 2013

For easy use of the Amazon Affiliate link, use AffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!

Stories:

Source: http://www.wired.com/threatlevel/2013/01/camover-targets-cctvs/

It’s being called Grand Theft Auto for the surveillance generation, only instead of being played out in the digital world, it’s played out in the real world. And the object of the game isn’t to steal cars or pull off other underworld pranks but to take out Big Brother’s eyes by destroying CCTV surveillance cameras spread across the city.

That’s the new game being played in Berlin and other German cities under the rules of Camover [note: the website keeps changing addresses so link may not work], an activist sport for those who hate surveillance cameras, according to The Guardian.

Teams of players are charged with taking out as many cameras as possible — by ripping them out of mounts, cutting cables or covering the lenses with black paint using Super Soaker squirt guns — and videotaping the vandalism in the process.

Points are awarded for the number of cameras destroyed — with bonus points granted for the most inventive methods.

“We thought it would motivate inactive people out there if we made a video-invitation to this reality-game,” the creator of Camover told the Guardian. “Although we call it a game, we are quite serious about it: our aim is to destroy as many cameras as possible and to have an influence on video surveillance in our cities.”

The competition was launched as a protest against the European Police Congress being held in Berlin on February 19. There’s no real prize for the game. The winner gets front place in a protest that will take place three days before the congress begins.

The organizers of Camover explained their motivations on their web site:

“The gaze of the cameras does not fall equally on all users of the street but on those who are stereotypical predefined as potentially deviant, or through appearance and demeanour, are singled out by operators as unrespectable,” they write. “In this way youth, particularly those already socially and economically marginal, may be subject to even greater levels of authoritative intervention and official stigmatisation, and rather than contributing to social justice through the reduction of victimisation, CCTV will merely become a tool of injustice through the amplification of differential and discriminatory policing.”

…

Source: http://www.h-online.com/security/news/item/FTC-demands-Do-Not-Track-for-mobile-apps-1796943.html

The US Federal Trade Commission (FTC) has made another contribution to the growing debate over the privacy of personal data on smartphones and tablet PCs. With a package of recommendations⁠, the US authority is urging mobile operating system and application developers to introduce more transparency in their products.

Users have a right to know what data is collected and what it is used for, said the FTC. Apps shouldn't be able to access GPS data or other personal information such as photos or contacts without the user's permission, it added. A year ago the Path social network created a stir by harvesting users' address book data without their permission; the FTC recently ordered Path to pay an $800,000 fine.

The commission also demands that platform developers implement "Do Not Track" (DNT) features that allow users to avoid being tracked for marketing purposes by advertising networks or other third parties for other reasons. The FTC has been demanding a similar feature for desktop browsers for some time and is now threatening to implement legal requirements. The authority said that although Apple's iOS and the mobile version of the Firefox browser already offer an appropriate switch, "Do Not Track" is far from being a standard feature in mobile devices. DNT also requires the communication partner on the other end of the connection to co-operate; users only state a preference by enabling the feature. Server operators are free to respect or dismiss this preference, and critics have therefore expressed their doubts about the usefulness of the switch.

With the guidelines it has now released, the FTC wants to emphasise that it is committed to ensuring the privacy of mobile device data. While the recommendations aren't binding for app developers and device manufacturers, any very obvious violations could result in being scrutinised by the trade commission. This could potentially lead to substantial fines such as those in the Path case.

…

Source: http://www.net-security.org/secworld.php?id=14334

Cisco released findings from two global studies that provide a vivid picture of the rising security challenges that businesses, IT departments and individuals face, particularly as employees become more mobile in blending work and personal lifestyles throughout their waking hours.

Despite popular assumptions that security risks increase as a person's online activity becomes shadier, the highest concentration of online security threats do not target pornography, pharmaceutical or gambling sites as much as they do legitimate destinations visited by mass audiences, such as major search engines, retail sites and social media outlets.

In fact, Cisco found that online shopping sites are 21 times as likely, and search engines are 27 times as likely, to deliver malicious content than a counterfeit software site. Viewing online advertisements? Advertisements are 182 as times likely to deliver malicious content than pornography.

Security risks rise in businesses because many employees adopt "my way" work lifestyles in which their devices, work and online behavior mix with their personal lives virtually anywhere – in the office, at home and everywhere in between. The business security implications of this "consumerization" trend are magnified by a second set of findings from the Cisco Connected World Technology Report (CCWTR), which provides insight into the attitudes of the world's next generation of workers, Generation Y.

…

Source: http://www.guardian.co.uk/technology/2013/feb/04/twitter-authentication-prevent-account-hacking

Twitter plans to introduce a "two-factor authentication" option that would make it impossible for hackers or vandals to break into accounts – even if they acquired the passwords.

The "2FA" system, which is also offered as an option by Google for its Gmail email system, blocks access from new devices or internet addresses, even when using the correct password, unless accompanied by a short numerical code that is sent separately to the account owner's mobile phone.
The news comes just days after the company reset the passwords on at least 250,000 accounts, after hackers broke into its systems and were suspected of accessing users' data, including email addresses and encrypted passwords. Twitter said it reset the passwords as a safety measure, and that it was not certain whether the hackers had accessed them.

…

Source: http://www.theverge.com/2013/2/4/3950732/anonymous-posts-banking-industry-details-in-aaron-swartz-protest

Source: http://dt.smzfcg.gov.cn/UpFiles/oops-we-did-it-again.html

Since the suicide of activist Aaron Swartz in early January, hackers operating under the Anonymous banner have come out in full force, organizing a blockade against Westboro Baptist Church picketing and hijacking MIT's website with a memorial message. Now, they've released what appear to be documents on 4,000 members of the banking industry. The file was originally posted on the hacked site of the Alabama Criminal Justice Information Center — though the page is now gone, it's still possible to find a cache.

…

[END]