Thanks to our listeners that let us know about the issue.  We were finally able to resolve the issue with the RSS feed not displaying the mp3 file size correctly by switching over to Feedburner.   Unfortunately, it seems that the issue with the files size was really hit or miss and it never impacted the iTunes xml.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 141.mp3[/podcast]
ISD Podcast Episode 141 for May 31, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50). For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/.  Email cybersecuritysummit@northalabama.issa.org.

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9176883/P2P_networks_a_treasure_trove_of_leaked_health_care_data_study_finds
Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College’s Tuck School of Business has found.

In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks.

One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.

While some of the documents appear to have been leaked before the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted, many appear to be fairly recent. A previous study by Dartmouth in 2008 also unearthed files containing health-care data floating on P2P networks, such as Limewire, eDonkey and BearShare. Among the documents found in that study was one containing 350MB of patient data for a group of anesthesiologists and another on patients at an AIDS clinic in Chicago.

News item 2:  http://news.cnet.com/8301-1009_3-20005844-83.html?part=rss&subj=news&tag=2547-1_3-0-20

Botnets are available for hire for as little as $8.94 an hour, underscoring how little financial muscle or technical expertise is needed to carry out attacks, according to VeriSign’s cybersecurity intelligence arm.

VeriSign said Monday that it carried out an online investigation into 25 botnet operators in February, targeting botnet services advertised on three Web forums. The study found that hourly botnet rental pricing started at $8.94, while the average price for a 24-hour rental was $67.20.

The services advertised a number of attack vectors, including ICMP, SYN, UDP, HTTP, HTTPS, and Data. The botnet operators plied their wares via the same techniques as legitimate businesses, such as via forums and banner ads. One botnet operator offered a pricing structure for taking down sites that have anti-attack measures installed.

News item 3: http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424

Do you have a PIN code on your iPhone? Well, while that might protect you from someone making a call or fiddling with your apps, it doesn’t prevent access to your data … as long as the person doing the snooping around is using Ubuntu “Lucid Lynx” 10.04.

Security experts Bernd Marienfeldt and Jim Herbeck discovered something really interesting when they hooked up a non-jailbroken, fully up-to-date iPhone 3GS to a PC running Lucid Lynx …

I uncovered a data protection vulnerability [9], which  I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.

This is what you get via an auto mount without any PIN request:

This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with an PIN code based authentication in place to unlock it.

This, quite honestly, is a staggering flaw. It basically allows anyone capable of driving a Linux PC to copy data off of an iPhone without the owner of the phone having any idea whatsoever that this has happened.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 140.mp3[/podcast]
ISD Podcast Episode 140 for May 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50). For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/.  Email cybersecuritysummit@northalabama.issa.org.

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1: http://www.itwire.com/business-it-news/security/39109-microsoft-controls-worldwide-physical-security-operations-from-three-sites
What does business continuity mean to you? For Microsoft Global Security it can involve locking a door from the other side of the world.

One part of Microsoft Global Security’s activities is monitoring physical security at the company’s premises around the world. This is carried out from three Global Security Operations Centers (GSOCs), located at Redmond (USA), Reading (UK) and Hyderabad (India), each responsible for their geographical region

The previous approach was decentralized, people-intensive, and involved more than 60 different proprietary systems, inconsistent policies across locations, live video monitoring, VCR recording, and lots of paper.

In contrast, the GSOCs are centralized, automated, highly interoperable, and use generic hardware (notebooks are used so they can be quickly removed if a centre must be evacuated) off-the-shelf software, and digital video. The hardware standardization means that any workstation can be used for any purpose, though in practice seats are associated with particular functions.

[podcast]http://isdpodcast.com/podcasts/InfoSec%20Daily%20Podcast%20Episode%20139.mp3[/podcast]
ISD Podcast Episode 139 for May 27, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50). For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/.  Email cybersecuritysummit@northalabama.issa.org.

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1: http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow-wiretap-proof-cell-phone-calls/
Worried about the NSA, the FBI, criminals or cyberspies electronically eavedropping on your private phone calls? There may be an untappable app for that.  On Tuesday, an independent hacker and security researcher who goes by the handle Moxie Marlinspike and his Pittsburgh-based startup Whisper Systems launched free public betas for two new privacy-focused programs on Google’s Android mobile platform: RedPhone, a Voice over Internet protocol (VoIP) program that encrypts phone calls, and TextSecure, an app for sending and receiving encrypted text messages and scrambling the messages stored in their inbox.

Marlinspike says the apps will interface with users’ contact lists and other functions on the phone to take the hassle out of making calls and sending texts that can’t be eavesdropped by third parties. “Our main aim is to make this as easy as possible,” he says. “We want it to be a secure and anonymous drop-in replacement for the normal dialing system on your phone.”

RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. When a caller dials another RedPhone user, the app uses the two users’ keys to create a simple passphrase (“flatfoot eskimo” or “slingshot millionaire,” for example) and display it on each phone, allowing the speakers to verify that the codes match, and that there’s no man-in-the-middle intercepting the call.

News item 2: http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225200102
The rampant use of default passwords within live database environments continues to plague the security of enterprise data, researchers say.

“It’s a problem that has been around for a long, long time,” says Alex Rothacker, manager of Team SHATTER, Application Security Inc.’s research arm. “A lot of default passwords out there get installed when you deploy a database, you install an add-on to it, or even if you install a third-party application that uses the database.”

As he puts it, the problem of default passwords lingering in the wild has built up during the years as a result of cumulative errors by both vendors and database administrators. In the past, the majority of vendors had no compunction about pushing out installers that automatically created default accounts to expedite the deployment of new databases, add-ons, or applications on top of the database.

“In order to perform some of the installation functions, they need to create database accounts, and some of them simply go and create an account and put a default password on it that’s well-known to the whole world,” he says.

Meanwhile, users did nothing to clean up these default accounts once installation was complete. Rothacker says the situation on the vendor front has improved considerably in recent years, but default passwords continue to be a problem for a number of reasons.

News item 3:  http://news.techworld.com/security/3224848/new-undersea-cable-feeds-african-botnets/
Spam coming from Africa could be about to boom thanks to new broadband infrastructure in the Eastern half of the continent, according to Symantec’s MessageLabs division.

The proportion of global spam sent by Africa is still a tiny 3 percent, by MessageLab’s reckoning, but that is up from the 2 percent in April 2009. At a time when global spam levels are stable, the extra 1.2 billion spam emails is large enough to count as a new trend.

Although the Western side of Africa, and North-Africa in particular, still account for the overwhelming volume of African spam, the company notes the lighting of a new undersea fibre cable running down the eastern edge of the continent in July 2009 was probably the key development.

Coming ashore in Djibouti, Kenya, Tanzania, Madagascar and Mozambique, the 8,400Km long, 1.2 terabit link could explain why that side of continent has seen its share of the African spam phenomenon rise.

News item 4: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=225200320
Cell phones and other handheld devices could become a great way to listen in on spoken conversations, researchers at George Mason University said this week.

In a paper (PDF), researchers Ryan Farley and Xinyuan Wang describe several new plays on the concept of “microphone hijacking,” which has been used for years. The idea is to put spyware on mobile devices — including laptops, cell phones, and PDAs — that can use their built-in microphones to eavesdrop on nearby conversations.

In the past, this eavesdropping has usually been done via the victim’s own cell phone or other device. But Farley and Wang describe a way to bug nearby devices belonging to nearby users to achieve similar results.

Under the researchers’ concept, called a “roving bugnet,” the eavesdropper would use a piece of malware called a “bugbot” to listen in on in-person interactions via a nearby smartphone or laptop. Such attacks would be more likely to target specific people (such as an executive or a spouse) than as a broad attack, the researchers say.

Farley and Wang conducted experiments on Windows XP and Mac OS laptops. The researchers directed their bugbot to join an Internet Relay Chat channel so they could remotely enable and disable each laptop’s microphone, streaming real-time conversations nearby. The same thing, they said, could be done on almost any smartphone.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 138.mp3[/podcast]
ISD Podcast Episode 138 for May 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50). For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/.  Email cybersecuritysummit@northalabama.issa.org.

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1: http://www.news.com.au/breaking-news/firing-dispatcher-for-facebook-drug-joke-was-right-wisconsin-council-claims/story-e6frfku0-1225870794794
“A city council in Wisconsin defended its decision to fire a Police and Fire Department dispatcher who joked about drug addiction on her Facebook page.”

The arbitrator said the dispatcher could come back after a 30 day suspension but the police chief appears to believe her joke was so inappropriate and “an embarrassment to the city”.
Personally this seems a bit extreme, however social networking users should be aware investigating face book pages of employees is becoming more common. Interested in seeing other status messages or postings then checkout: http://youropenbook.org.

News item 2: http://www.net-security.org/secworld.php?id=8786

Brian Thomas Mettenbrink from Nebraska has been sentenced to a year in federal prison for his participation in the cyber attacks on the Church of Scientology’s servers a couple of years ago.

Metterbrink pleaded guilty in January. Back then, he admitted that he downloaded computer software from an “Anonymous” message board and used that software to bombard Scientology websites to the point that it impaired the integrity and availability of those websites in a variation of a DDoS attack.

News item 3:   http://twitter.com/AmericanExpress/status/14717827795

American Express may be in hot water after a computer engineer discovered a portion of the card brand’s website, which claims to be secure, is sending private information in the clear.

Joe Damato wrote in a blog post Tuesday that he received a promotional email from American Express encouraging him to sign up for the Daily Wish service, through which cardholders can receive hefty discounts on a limited amount of merchandise, such as computers and camcorders.

If users click on the “Sign up for Daily Wish” button, they are prompted to enter personal information, such as name, card number, security code, expiration date and billing zip code, into a pop-up box. The box includes a “This page is secure” notification link, but upon further review, Damato found this not to be the case.

The domain for the sign-up box was not using “https,” an encrypted form of information transfer, he said. Damato used the open-source packet analyzer Wireshark to confirm that the (fake) information he entered into the form was delivered in clear text back to American Express’ server.

The card company, in a tweet posted this evening said “Aware of situation, under investigation. Site is secure & we’d always contact Cardmembers w any potential acct issue.”
News item 4: http://www.wired.com/threatlevel/2010/05/lanrev/
A controversial remote administration program that a Pennsylvania school district installed on student-issued laptops contains a security hole that put the students at risk of being spied on by people outside the school, according to a security firm that examined the software.

The LANrev program contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop webcam to snap surreptitious pictures.

The vulnerability was discovered by researchers at Leviathan Security Group.  They began examining the program after customers who saw media coverage of the Pennsylvania case expressed concern that the program might be exposing their employee computers to intrusion from outsiders. The same software is used by many businesses to monitor and maintain their employee laptops.