Well-known Australian information security professional Patrick Webster has been visited by NSW Police officers following his disclosure of an embarrassing Web application security bug to his superannuation fund.

Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via "direct object reference," a security lapse so boneheaded it's included in OWASP's infamous top ten list of Web application security bugs.

For those unfamiliar with direct object reference, it means documents are served up by way of a direct ID in a URL. The problem is that by changing the document ID in the browser's URL bar, another document will be accessed and served to the user.

Direct object reference issues have been well known for over a decade. The Australian Treasury's GST Web Site was affected by a similar glitch in 2000.

Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. He contacted First State Superannuation's administration arm, Pillar Administration, to notify them of the problem the morning after he discovered the company's shoddy coding.

He even sent one of the fund's IT staffers a bash script to demonstrate the issue. The script enumerated document IDs and downloaded statements.

"It needed to be fixed ASAP," Webster, who runs information security company OSI Security and is a prolific Metasploit contributor, told Risky.Biz. "That's why I made a script and sent it to [redacted], so he could run the script himself and see what I meant."

The initial response from the fund was positive, with e-mails seen by Risky.Biz praising Webster for taking the time to notify the right people.

First State Superannuation has 770,000 members, mostly working for the NSW State Government. Members include everyone from magistrates to police officers and nurses.

It was two of those NSW police officers that turned up at Webster's front door at around 9pm last night.

"They just rocked up on the doorstep and said 'We're after Patrick'," he said. "They said it was about downloading files from First State Super. They said they didn't really understand it. They were the local Police.

"The annoying part is that I contacted First State straight up. I gave them my number, email... and full details in my email including LinkedIn and they called the cops," Webster said.

It is generally understood in the information security industry that data accessed via a URL without further authentication has, in essence, been made public by the system allowing the access.

It is difficult to argue that the access of such material is the bypass of a security control; it is merely proof of the absence of a security control.

Webster demonstrated that any logged in First State Superannuation member could access the online statements of any other member via URL manipulation alone.

It was Pillar Administration and First State Superannuation's diabolical violation of good practice that exposed members' details, not Webster's actions.

For background on just how dysfunctional and negligent an organisation has to be to allow direct object reference to sensitive information, click here.

Perhaps instead of contacting the law, First State Superannuation would have done well to send Webster, who ironically enough spent much of his career working in information security for NSW Police, a nice bottle of single malt and a sun hat.

The company has suspended online access to Webster's account. Passing the buck, wasting taxpayers' money and police time FTW.

Calls to Pillar Administration's head office and individual staffers were not returned. Staffers reached would not comment. Comment from NSW Police could not be obtained by time of publication and detectives reached would not comment.

Pillar Administration and First State Superannuation have since fixed the direct access bug and notified members whose information was accessed by Webster's script. See the letter here [pdf].

The only silver lining that could come out of Webster being charged with something -- what, exactly is a bit foggy -- would be watching a prosecutor try to explain to a magistrate that changing a single digit in a browser bar is a computer crime.

Lawl/snort/chortle etc.

Follow Patrick Gray on Twitter here.

Check out the Risky Business podcast here.

Subscribe to podcast feeds here.

By now you've likely read about the German Chaos Computer Club's (CCC) reverse engineering of the so-called "Bundestrojaner," or "federal trojan".

Someone found a copy of a remote access trojan in the wild, claimed it was government spyware and submitted it to CCC for analysis. The resulting publications give us a bit of an insight into at least one country's alleged "computer tapping" capabilities.

The German government has actually denied the malware is used by any of its federal agencies. Who knows about state police services or agencies. But if it turns out the trojan is indeed 'legit' then we can safely say, drum roll please, governments write pretty shitty malware.

I've been moved to write about this whole drama by the reaction to CCC's analysis. Some people out there are actually shocked that governments have this capability. I'm shocked they're shocked!

Every time one of these (allegedly) government-created remote access trojans pops up the tinfoil hatters scream Big Brother; they seem to think the existence of this sort of technology proves governments are conducting illegal surveillance on a massive scale.

They think the feds are rattling around in their computer already looking for evidence of subversive political thought. Kids, the government isn't using this technology to obtain advance copies of the anti-globalisation manifesto you're writing for Pastebin. You're a 21-year-old arts undergraduate with 320 Twitter followers. You're a nobody and no one cares about you. Deal with it. (QQ)

Reaction from the fringe-dwellers aside, the CCC analysis was a truly worthwhile exercise. It managed to expose a few things, like the fact the trojan was shipping with features explicitly forbidden under German law pertaining to surveillance.

The German government, under warrant, can lawfully intercept IP-based telephony with spyware, but it's not allowed to snoop on, say, files on the infected host's hard disk. Bundestrojaner's features explicitly allowed this.

As mentioned, the German (federal) government has denied Bundestrojaner is its creation, but you can bet your bottom dollar any similar badware used by ze Germans is now getting some proper attention and oversight from up on high.

This whole exercise has raised awareness at the very top and that's a hell of an accomplishment. The CCC deserves a pat on the back -- genuine kudos -- for bringing these issues to light.

CCC also found the Trojan was a big pile of insecure, bug-riddled shit that anyone with half a brain could reverse and learn how to control; unencrypted command and control For The Win.

Even if this trojan isn't government spyware, you can bet the real stuff is likely just as bad.

But like it or not, governments today actually need these capabilities for legitimate reasons.

So let's cool the debate a bit.

Just like a court approved telephone intercept, there are entirely valid reasons for law enforcement to conduct covert searches of suspects' computers. There's simply no problem with governments having this capability as long as the judicial oversight is sufficient. [ADDED 25/11/11: I've reflected a bit on this and I don't think you can actually introduce sufficient oversight in this case. In the case of intercepting communications like Skype? Maybe. But in the case of just going nuts snooping on someone's hard drive? That's just a situation ripe for abuse. So colour me convinced!]

If a law enforcement body is looking for specific evidence pertaining to a serious crime, has a prima facie case and there's no other practical way to obtain the evidence, how is a court granting a warrant allowing this sort of snooping a bad idea? [ADDED 25/11/11: Again, I'm convinced there's no effective oversight you could introduce here. In the case of phone/Skype intercepts I think you probably can have appropriate oversight, but remote, covert searches of someones' computer are a genuinely shitty idea. Mea culpa. I think I was just being contrarian to annoy the tinfoil hatters.]

We do not have an absolute right to privacy from government, even in Western democratic nations. The state can intrude on the privacy of its citizens if there's a good reason. [ADDED 25/11/11: I absolutely stand by this as a general principle.]

Should governments be installing completely bug-riddled, insecure trojans on peoples systems? Nope. Should they creating features that allow the controller of the malware to easily exceed their authority? Again, no.

But let's not throw the baby out with the bathwater here. These government-created RATs are valuable as investigative tools in serious crime investigations. That's good for all of us.

Let's look at this CCC analysis for what it is: A good excuse for Attorneys-general and police ministers all over the world to make sure this technology is being implemented in accordance with each country's wiretapping and surveillance legislation.

What do you think? Post a comment here.

Follow Patrick Gray on Twitter here.

Check out the Risky Business podcast here.

Subscribe to podcast feeds here.

This week's feature guest is Kevin Mitnick! Possibly one of the world's best known computer hackers, Kevin has been the subject of several books and even a B-Grade movie. He spent years on the run evading capture by the FBI, eventually winding up in prison for something like five years.

There's no feature interview in this week's show, instead we're focussing on news instead!

This week's feature guest is the head honcho of the Beef Project, NGS Secure's Wade Alcorn.

Over the last couple of weeks you may have spotted some news stories floating about claiming cybercrime costs society US$388bn annually, with Australia alone suffering A$4.6bn in yearly losses.

If the numbers are to be believed, these reports say, that means cybercrime costs us nearly as much as the global trade in illicit drugs. It's a sensational claim and makes an awesome headline, but any way you slice or dice the numbers they just simply don't stack up.

What's more frustrating is the most cursory analysis of these figures is enough to show they're fanciful. Yet lazy media outlets, spurred on by reports carried by the sycophantic technology media, happily parroted these claims as fact without doing the most basic checking.

Institutional fraud measurements here in Australia blow the claimed numbers out of the water immediately. Direct losses from all personal fraud in Australia, online and offline, is estimated at A$1bn a year. So where did the claim involving a A$4.6bn annual impact come from?

The numbers were dug out of a survey report released by Norton, the consumer division of Symantec, a company that makes computer security software.

Norton engaged an online survey company, Strategy One, to quiz around 20,000 people in 24 countries about their experience with cybercrime. It asked respondents to nominate both direct and indirect losses they experienced as a result of online crime.

Based on the responses Strategy One received, direct annual consumer losses extrapolate to USD$114bn a year. That includes losses that consumers experienced that were reimbursed, as is the case with the vast majority of credit card fraud.

That figure seems high enough, but where things get comical is when Norton throws indirect losses into the mix.

When asked to nominate how much these cybercrime experiences were worth in terms of "time lost," Strategy One extrapolated a figure of USD$274bn.

Now, here's where it gets into Twilight Zone territory. According to Norton, United Nations figures estimate the illicit trade in heroin, cocaine and marijuana is worth US$288bn a year. The total illicit drugs trade is worth, apparently, US$411bn per annum.

But if you add the USD$114bn figure for direct cybercrime losses to the USD$274bn "time lost" figure, you wind up with a total just under the figure for drug sales (USD$402bn).

The result is the claim that "cybercrime is... approaching the value of all global drug trafficking". You see what they did there? Voila! Instant headlines!

Norton is actually equating a fictional "time lost dollars" -- that never actually existed -- with actual dollars spent on marijuana. You'd think the marketroids were smoking the green stuff themselves when they came up with that comparison.

They must be regular users, too, because Norton put out a press release on September 11, 2009, claiming cybercrime actually eclipsed the global drug trade. The press release was titled: "Cyber Crime has Surpassed Illegal Drug Trafficking as a Criminal Moneymaker; 1 in 5 will be a victim".

As a moneymaker? Really? That's not even what Norton is claiming now!

If that wasn't loose enough, it seems obvious that if we included "time loss" figures stemming from the illicit drug trade the comparison would be blown apart immediately.

Just think of the harm being inflicted on Mexico right now by the drug cartels, not to mention narco-related drama in countries like Afghanistan. Then there's the money spent on the "War on Drugs," keeping drug dealers in prison and the productive capacity society loses to all those dope-smoking young males glued to their PlayStation 3s.

While we're doing things the Norton way, why don't we include lost income that unemployed heroin users could be making if they straighten up? It'll be a completely meaningless number, but as long as it's big, apparently, it gets a run.

Norton's definition of cybercrime is also fairly liberal. It defines "online harassment" as a cybercrime, along with being "approached online by a sexual predators". Online credit card fraud is defined as "someone made an unauthorized use of my credit/debit card, or card number, to fraudulently obtain my money or property".

The word "online" doesn't even appear in the definition. This question, as written, will catch all credit card fraud.

It gets better. In June two researchers from Microsoft, Dinei Floręncio and Cormac Herley, wrote a brilliant paper titled "Sex, Lies and Cyber Crime Surveys".

You can read it here, but the general thrust of the paper is self-nominated loss figures are notoriously unreliable.

Floręncio and Herley say surveys of sexual behaviour demonstrate people lie when asked to nominate how many sexual partners they've had. In a random sample, it stands that the average number of sexual partners for both men and women would be the same. But they're not.

Women generally tell the truth, albeit shaving the number slightly. Men also generally tell the truth. Unfortunately, some men, the research says, massively overstate their notches-on-the-bedpost quota, and that throws the reliability of the survey more or less out the window. Floręncio and Herley argue overstated loss figures cause the same problems in cybercrime surveys.

Cybercrime surveys that rely on self-nominated losses require multi-layer sampling and a sample size of up to several million respondents in order to be regarded as accurate, the Microsoft paper claims.

The problem boils down to concentration. Overstated losses can massively skew data sets. In a survey based on 1,000 respondents, Microsoft says, a claim of a single loss of $50,000 would translate to a loss figure of $10bn over the whole population. A nominated loss of $7,500 translates to $1.5bn.

So, they say, we should "discard" any survey that doesn't disclose both the median and mean figures for responses. These two figures give the reader an idea of how concentrated the responses are.

The Norton survey does not disclose these figures.

There are places we can look to find more trustworthy sources of information relating to crime and fraud. The Australian Bureau of Statistics, for example, estimates all personal fraud, both online and offline, costs Australians AUD$1bn a year (2007).

The Australian Payments Clearing Association (APCA) calculated Australian Issued Payment Instrument (credit store and debit cards, cheques etc) at around A$210m for 2010.

Sure, a body representing financial institutions might have an interest in understating these figures, but Norton's report claims direct cybercrime losses in Australia are A$1.8bn a year (roughly A$300 per household) with a further A$2.8bn in indirect losses!

Put simply, Norton's figures just do not look credible next to institutional measurements, and Microsoft's research tells us these types of cybercrime surveys are unreliable.

For its part, Norton says the discrepancies can be explained because much cybercrime goes unreported. "We are confident that the Norton Cybercrime Report is a valid representation of the current state of consumer cybercrime," the company wrote in response to questions.

It's understandable that a company with a vested interest in overstating a problem will release this sort of marketing material. It's another thing for the media to just run with it without questioning the numbers.

On this week's show we chat with Ruxcon organiser and vulnerability researcher Chris Spencer.

The following is a recording of a panel discussion about Wikileaks that took place at the Splendour in the Grass music festival in Woodford, QLD, Friday, 29 July 2011.

It seems the bad guys are targeting Australian Internet users this week. I got a few of these this morning, as did a couple of Risky.Biz listeners:

From: rules@abr.gov.au
Date: 14 September 2011 10:05:53 AM AEST
To:
Subject: Attention for the ABN owners
x-original-to: REDACTED
x-mailer: azzgnshjz.46

Australian Taxation Office together with Australian Business Register
wants to inform you that starting from January, 1 2012 new rules of use of ABN number are being introduced.

The changes will concern:
- GST credits;
- Australian domain names registration

More detailed information about the coming changes in the rules you can find HERE.

Australian Business Register
www.abr.gov.au

All links in the e-mail go to the domain australianbusiness-store.com.

That site drops an executable named updateTax15sept.pdf.exe.

Geez. I wonder if I should run it?

I also received a couple of other, similar messages purporting to come from the ATO. Again, all links pointed to the domain australianbusiness-store.com.

TL;DR: Drop domain australianbusiness-store.com at your gateway.

UPDATE: Our buddy Neal Wise at Assurance.com.au says the same spam run makes use of the domain australian-businesssite.com, too... Some on Twitter have reported hundreds of these spams coming through their gateway just this morning. Seems very tightly focussed on an Australian audience.

Patrick Gray on Twitter.

On this week's show we take a look at the security of browser JIT engines with two extremely smart guys: Chris Rohlf and Yan Ivnitskiy of Matasano Security.

What a week in information security! Between Kernel.org getting owned, the Iranian Government apparently hacking a Dutch CA to mint around 250 valid certs for stuff like *.google.com and Wikileaks experiencing a spectacular opsec fail, there's plenty to talk about in this week's news segment with Adam Boileau.

This week's feature interview is with anonymous infosec blogger Diocyde.

You may have heard about Microsoft's Blue Hat Prize for defensive security research. The company is running a contest for the best memory corruption bug mitigation technology. So, if you reckon you've found the next DEP or ASLR, you could be eligible for the company's $200,000 first prize.

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.

The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.

"My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved," the dump reads. "These attacks have targeted US and Canadian companies almost exclusively for at least five years... and continue to be extremely effective."

The dump claims the operation targets include private US defence firms.

The dump also makes the explosive claim that many of the IP addresses are monitored by private information security companies "...for the purpose of supplying stolen information back to the affected companies."

"Stolen data is effectively held hostage for the price of doing business with the company in the know," the dump reads.

The idea might sound like an unlikely conspiracy theory, but it's lent some serious credibility by a leaked HBGary analysis of some of the same IP addresses and domain names. That analysis appears to confirm their authenticity as espionage-linked callback IPs.

The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China. The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.

The vast majority of the leaked IP addresses are physically located in the US.

HBGary codenamed the operation "Soysauce".

"The soysauce group targets a large number of defense contractors who service the U.S.A," the analysis begins.

Alarmingly, the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.

Booz Allen Hamilton via bah001.blackcake.net, Mantech Corporation via mantech.blackcake.net and man001.blackcake.net.

So on, so forth.

This means each of the 850 entries in the dump potentially corresponds to a custom callback address for each successfully compromised victim.

To cut a long story short, if you find any of those IPs in your logs, you're likely owned by the Chinese government.

If you don't find them, you're probably owned anyway.

Risky.Biz has no reason to believe Pastebin data was actually leaked by an RSA employee.

Subscribe to the Risky Business podcast here.

Check out our podcast directory here.

In this week's feature interview we're chatting with Dino A Dai Zovi about Mac security -- Dino's well known as a Mac hacker and he's just done a BlackHat talk in which he evaluated Apple's IOS 4.x operating system for enterprise suitability. How did it stack up? Find out after the news!

On this week's show we're taking a look at the most devastating state sponsored planet melting, child eating APT the world has ever seen... according to Gizmodo it's the BIGGEST CYBER ATTACK IN HISTORY.

This week we're chatting with Detective Superintendent Brad Marden of the Australian Federal Police. While the FBI are out locking up Low Orbit Ion Cannon users on no-bail warrants, Mr. Marden and his team, apparently, are out doing real, actual police work to catch real, alleged criminals. How refreshing!

In this week's feature interview we're chatting with Silvio Cesare.

As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions.

The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS".

So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right?

Wrong.

One of the complaints details charges to be laid against Scott Matthew Arciszewski, 22. He's alleged to have somehow created an account on Infragard Tampa's Website and successfully uploaded a couple of files.

By the looks of things he made no attempt to hide his actions -- using his own IP address to conduct the "attack" -- then Tweeted about it and directed his followers toward his Website.

How stealthy.

What a criminal mastermind. I'll sure sleep better tonight knowing this criminal genius has been taken off the streets.

Another complaint alleges former AT&T contractor Lance Moore uploaded a bunch of commercially sensitive material to Fileape. That information was subsequently "redistributed" by LulzSec.

This guy isn't even alleged to be sailing aboard the Lulz Boat, but hey, at least the DoJ got to use the word "LulzSec" in an indictment. What a win!

The remaining 14 arrests deal with a DDoS attack against PayPal, apparently in retribution for that company's decision to suspend payment processing for Wikileaks. They were using LOIC. How 1337.

So what does this all amount to? A leaker with internal access (AT&T), a young guy who was able to pwn Infragard in about five minutes (great security, guys) and a bunch of LOIC users.

And yet the coverage I'm seeing still persists with this ridiculous idea that the arrests will be some sort of strike against Anonymous, the "group".

So here, let's try to get something straight, once and for all: Anonymous is not a group. It's not a hydra. It's not a "loose collective". Anonymous is just a designation. Why is that so hard to understand?

Let's try an analogy.

17th century pirates liked to steal booty. They sailed the high seas and pillaged. They had a common flag. But they WERE NOT A GROUP.

Sure, there were groups of pirates that sailed on ships together. There was a common outlook -- that plundering booty was a worthwhile activity, ho ho and a bottle of rum, all of that. But they were not a group.

There were pirate hangouts like pirate taverns, so there was congregation, but no leadership. Pirates were not a collective.

So let's clear it all up. The anons are the pirates, IRC channels and imageboards like 4chan are their pirate taverns, and the various Anonymous outfits like @AnonymousIRC and @AnonOPS are pirate ships with multiple pirates aboard. They're groups of pirates! Simple! See?

So when the Spanish, Turkish, British or whichever police force claims to have arrested "key members" of Anonymous I wonder if they're deliberately misleading the public and their masters, or if they genuinely just don't get it.

This current batch of arrests will "bring to justice" a bunch of people who made no attempt to conceal their actions because they're either technically useless or just didn't care.

They're "low hanging anons".

But that won't stop the mainstream media from portraying this as the establishment striking back at online troublemakers.

Sigh.

TL;DR: Feds arrest dummies, MSM hails capture of anon masterminds.

This week's show is all about the news -- a 30 minute dose of Metl!