In this week's feature interview you'll hear part two of my interview with In-Q-Tel's CSO Dan Geer. We chat with Dan about electronic surveillance, the state, fascism and even the "digital Amish".
On this week's show we chat with information security legend Dan Geer about traffic analysis and "digital exhaust".
On this week's show we're taking a look at the DMARC anti-phishing effort. we mentioned it on the news last week, but we're going to get into it properly with our good buddy Paul Ducklin. He's along after the news.
Symantec claims customers using its endpoint protection and antivirus products are not at risk following revelations the company's AV source code was stolen in 2006.
But when it comes to providing specifics, Symantec is guarded.
Following yesterday's blog post, Symantec has claimed recycled source code from its corporate antivirus product of 2006 makes up only 5% of current endpoint protection software.
But it won't say which 5%.
Furthermore, 5% of Symantec's latest bells-and-whistles endpoint security products is a lot of code; basic corporate AV solutions from 2006 were pretty small by comparison to today's bloatware. So it could well be that a large proportion of the stolen code is actually in the current product. THAT's the percentage I'd like to see.
Here's the company's response to yesterday's questions, and below that my lingering unease about the company's answers.
Given the visibility of this incident, i.e. there is consistent monitoring of our communications by hackers and the Anonymous group, we're hesitant to provide specifics on the size of the code for NAV CE and SEP 10.2 (hence someone may be able to tell what they have or don’t have based on the size alone). However, you are correct that the total amount of code for Symantec Endpoint Protection is demonstrably larger than NAV CE, again, if for no other reasons than to accommodate all of the new features and functionalities layered upon over the previous six years.
More technical readers would know that the claims that extra features in the company's newer endpoint protection software would make exploitability impossible are quite simply bunk.
Sure, they might provide some defence-in-depth protection against malware, but I fail to see how a new, whiz-bang file reputation ranking engine will prevent targeted exploitation of vulnerable AV scanning engine code, for example.
Further, Symantec has stated it analysed the relevant code and determined it's not vulnerable, but won't say which chunks of that code have found their way into current products. Why? Surely if the code is good it can say which component is still being used in current source trees.
Also, calling Anonymous a "group" is a bit silly, especially in this instance as it was a bunch of people calling themselves the Lords of Dharmaraja who claimed credit for the attack. Anons have just been chuckling along with them. For a company like Symantec to conflate this compromise with the activities of a broader meme/movement like Anonymous may be convenient for PR purposes, but it's not really accurate.
So, brass tacks time: It's unlikely the Symantec AV source code that's doing its rounds over the Internet is going to really help attackers out there in a meaningful way. That said, I get the impression that Twitter user @GMKnowBoulder was right yesterday when they said Symantec seems stuck in the "quantum void between the engineering force and the marketing dark side".
So who out there can be bothered bindiffing NAV CE circa 2006 against current endpoint protection products?
UPDATED WITH COMMENT FROM SYMANTEC BELOW
So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent.
This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source.
In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened.
Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible.
The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well.
When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out.
Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least.
But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying:
The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.
That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software?
Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it?
That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers.
I'll be firing off some questions to Symantec PR on this and we'll see what they say.
UPDATE: The PR gnomes at Symantec have issued this response:
As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions.
If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code."
I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc.
Will hopefully have an update soon.
Find Patrick Gray on Twitter.
An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems.
The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here.
It’s interesting for several reasons. Firstly, the reason we know about this event is because it was disclosed in the company’s SEC filings. Secondly, Verisign is a very important company when it comes to the issuance of digital certificates. And finally, the story is made all the more fascinating by the vagaries of the disclosure. The filing is a tad light on specifics, like what data was actually "exfiltrated".
It’s also a sad sign of what's become of the technology media. The breach was disclosed in an SEC filing back in October, but has only hit the news now.
Symantec says there's no evidence to suggest the breach affected its SSL systems, which, if true, means the story as reported is a bit of a beat up.
I suspect this breach is unlikely to be of the magnitude of the RSA hack or Aurora attacks against Google. If anything it tells us more about the sorts of disclosures we're likely to see in future SEC filings in the USA.
But who knows? Sometimes these stories are slow burners...
Either way, the fact that no one would be surprised if Verisign's SSL boxes got pwned is proof enough that browser manufacturers need to redouble their efforts in protecting users from man-in-the-middle attacks performed with illicitly issued but "technically legitimate" certificates. I believe Chrome already pins certs for most major websites and IE might already do it too.
What does your gut feel say? Drop us a comment!
Find Patrick Gray on Twitter.
Risky Business is back for 2012! This week's edition of the show is sponsored by Adobe.
This is a special summer edition of the Risky Business podcast. There's no feature interview or sponsor interview -- just Adam Boileau and Patrick Gray discussing the most interesting security news items of the last three weeks, including:
I thought we'd just have a bit of a fun feature for the last show of the year. It's an interview with Edith Cowan University's Peter Hannay about a presentation he did at Ruxcon back in 2010, all about turning Amazon's Kindle into a completely free internet access device that works all over the world.
McAfee Australia leaked 971 customer e-mail addresses in a botched e-mail marketing campaign last week.
The addresses of the recipients were placed in the visible TO field instead of the BCC field.
It's an all-too-common mistake, made especially embarrassing for McAfee because it's not the first time in recent memory something like this has happened.
In July, 2009, the company accidentally attached the full contact details of 1,400 customers to a marketing mailout.
The latest e-mails to leak are those of enterprise and government contacts, not consumers.
In response to a query from Risky.Biz, McAfee released the following statement through its public relations firm Spectrum Communications:
This error has been investigated and we are in the process of contacting the people affected to apologise, provide information and request that recipients delete the email addresses we have shared in error.
We are taking this opportunity to remind all staff of the importance of our processes around customer communications.
This sort of thing is always so embarrassing...
Follow Patrick Gray on Twitter.
In this week's feature interview we're chatting with Google's Ben Hawkes about the risks posed to browsers by new developments in the way they handle graphics. WebGL and Flash Stage3G allow Websites easy access to graphics cards but introduces a bunch of potential security issues. What if there's a bug in your graphics card driver? Can you then exploit that through the browser?
On this week's podcast we take a look at doing some fairly unnatural things to the OS X operating system. We'll hear how to best rootkit OS X and also how messing with EFI bootloaders can be a whole bunch of fun in terms of installing persistent rootkits in PCI firmware.
On this week's show we're talking Near Field Communications (NFC) with New Zealand's Nick von Dadelszen.
NFC on mobile phones is a new phenomenon and opens a lot of possibilities for research, particularly when talking about mobile payment platforms. Lateral Security's Nick discusses the good, the bad and the ugly of mobile NFC.
This week's feature guest, Michael DeGusta, has done a bit of research on this topic and found, well, Android support is even WORSE than we first thought. He turned his research into a chart that went viral. Here it is:
In this week's feature we chat to Patrick Webster about his tangle with First State Superannuation.
Infosec reporter Brian Krebs published a splendid post a couple of days ago that apparently unmasks 760 victims of the same group that owned RSA.
I've had a look through the list and pulled out all the Australian organisations I could find. From the looks of things this list was compiled by observing computers connecting back to evil C&C in China. That would explain why there are so many ISPs listed -- it's likely it wasn't the ISPs that got pwnz0riz3d, it was their customers.
This full list is apparently doing the rounds among congressional staff in the USA.
So, Australia-centric highlights of the reverse-lookups include:
* CITEC-AU-AP QLD Government Business (IT)
Basically all QLD Government IT is outsourced to CITEC. It's the QLD state govt's IT agency.
* DSE-VIC-GOV-AS Department of Sustainability & Environment,
Also affectionately known in political circles as the Department of Scorched Earth, it looks like DSE got popped. Not much mining in Victoria, so your guess is as good as mine as to why.
* CSC-IGN-AUNZ-AP Computer Sciences Corporation
I'm guessing this was CSC itself or one of its customers. Does CSC operate a few gateways? It does here, from memory... a few in Canberra, too. *cough*
Then there are the ISPs.
* AMNET-AU-AP Amnet IT Services Pty Ltd
* TPG-INTERNET-AP TPG Internet Pty Ltd
* MICRON21-AS-AU-AP Micron21 Melbourne Australia Datacentre. Co-Location Dedicated Servers Web Hosting
* PI-AU Pacific Internet (Australia) Pty Ltd
* TELSTRA Telstra Pty Ltd
* VZB-AU-AS Verizon Australia PTY Limited
* MPX-AS Microplex PTY LTD
* IINET iiNet Limited
* MCT-SYDNEY Macquarie Telecom
* AAPT AAPT Limited
Then there's this:
* TEAM-CYMRU – Team Cymru Inc.
Some of you will know why that's equal parts funny and bad.
This week's feature interview is with Ian De Villiers of the South African security firm Sensepost.
Australian security researcher Patrick Webster has received a letter from commercial law firm Minter Ellison demanding he turn over his computer to its client First State Superannuation.
The legal threat follows Webster's disclosure of a serious and trivially exploitable security vulnerability in First State Superannuation's website to the company in September.
Listen to my interview with First State Superannuation's Chief Executive Michael Dwyer AM here.
The flaw allowed any logged in member to access other member's statements by changing a single digit in their browser's URL bar.
The letter, received today, threatens to pursue Webster for costs incurred "in dealing with this matter" if he does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.
Webster claims he deleted the information in September. He says some member information, around 500 statements, was downloaded to his computer when he tested a bash script that would demonstrate the flaw to the company's IT staff.
He ran it while he made a cup of tea, saw that it worked, deleted the information and sent the script to First State Superannuation's IT staff so they could independently verify the glaring security hole.
You can read the letter here.
Editorialising for a minute, if Webster had planned to do something untoward with the information he obtained in his four minutes of testing, why would he inform the company of their security issue? Why would he now retain the member information he was trying to protect by reporting the bug in the first place?
If he'd found the bug in a Facebook or Google Web application, Webster would have actually received compensation for his time, not reported to the police and threatened.
Now the company is threatening to recoup costs from him if he doesn't allow them to get their grubby, insecure mitts all over his computer. Why not just ask for a signed statutory declaration? Why resort to threats?
The irony here is it's entirely possible that the glaringly obvious, boneheaded direct object reference bug that Webster exposed puts First State Superannuation completely on the wrong side of various compliance regimes and acts, including the Australian Privacy Act which stipulates organisations must take reasonable steps to secure personal information.
On this week's show we're delving into a troubling story emerging here in Australia. A local security researcher and consultant, Patrick Webster, has been threatened with criminal and civil prosecution after he disclosed a direct object reference bug in his pension fund's systems.
