This week's edition of the show is brought to you by Tenable Network Security, thanks guys.

AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today.

The accidental disclosure comes as the United States celebrates the evening of July 4, its independence day. The bulletin was supposed to be issued on the morning of July 6, US time. Instead, it was mailed to AusCERT's subscribers a short time ago.

The bugs themselves aren't Earth-shattering; two remote DoS conditions, including a packet-of-death-style attack. But operators of "important" BIND installations will likely be annoyed by the holiday-destroying timing of the release.

"We made a mistake, we weren't supposed to issue them," AusCERT's general manager Graham Ingram told Risky.Biz. "We've apologised to group involved, we didn't quite understand the embargo, we missed it, and we accidentally released it."

AusCERT sent a bulletin recall a short time ago. In part, it reads: "We apologise if the premature announcement has caused you to initiate any action for which you are unprepared and which must now be interrupted. Please do not distribute the AusCERT bulletin. Please delete it from your system immediately and permanently."

The extra two days lead time would-be attackers may have up their sleeve due to the disclosure is unlikely to be sufficient for the bug to be weaponised before ISC2 releases the relevant patches, said a security professional who declined to be named.

"It looks like the new code/version isn't up yet, but given the statement says there's no known workarounds, it would still be of concern to an admin," our uber-sekr3t source says. "But it's an unauthenticated remote DoS. If it was a remote code execution issue, the information in the bulletin would be more useful to an attacker."

TL;DR: AusCERT make boo boo. Drunk/hungover/angry BIND admins work holiday.

Check out the latest Risky Business podcast here.

Episode 200 FTW!

The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail".

"A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."

Since leaving a security consulting position with Australian information security company Stratsec, Grzelak has been working on a start-up gaming media company with two friends.

As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised.

Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.

The shouldichangemypassword.com database includes leaked or stolen account information from 17 recent high-profile breaches. "There are now... 1.3 million records on the site," he said. "All the LulzSec releases are included as well as data from other high profile incidents such as the Mt. Gox Bitcoin exchange hack and the Gawker breach from a year ago."

Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.

The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.

Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.

Grzelak, meanwhile, says this type of accidental disclosure is actually quite common. "There are thousands of these databases indexed by Google," he said. "This just happened to be by far the biggest I found."

Groupon's statement is below:

On Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of Sosasta, a website acquired by Groupon in January 2011.

After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.

Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries.

We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring.

This issue does not affect data from any other country or region.

Groupon takes security and privacy very seriously. Our users' trust is of paramount importance to us and we deeply regret this incident. We will provide more information as soon as possible.

Ed: Some of the search string in the Google search screen capture has been redacted. It brought up more exposed databases...

Click here for the latest Risky Business podcast.

Put on your Hypercolor t-shirts and Swatch watches, because this week's show features an interview with Jason Scott, the founder of Textfiles.com.

A documentary crew are looking to interview people who remember the Melbourne BBS and hacking scene in the late 1980s, early 1990s.

They're coming to Melbourne in a few weeks to film.

I've seen one of their documentaries before: Enron: The Smartest Guys in the Room, and it was pretty good. I've had a chat with the producers and it seems unlikely to me that the docco will be a hatchet job.

That said, I don't know these guys from a bar of soap, I can't make any guarantees as to their professionalism or ethical conduct.

They've asked me to assist them in finding some sources who can talk about the Melbourne "scene" in the early 90s.

I agreed to post a direct message from producer Alexis Bloom (below) on this blog because, as a journalist, I think it's important for producers of documentaries like these to have access to sources that can provide them with accurate information and context.

If you feel you can contribute or you'd like a bit more info, get in touch with me for the producer's contact details. Patrick at risky dot biz.

MESSAGE:

I'm a documentary film producer at Jigsaw Productions in New York. We’ve made films like Academy Award-winning "Taxi to the Dark Side," and "Enron: The Smartest Guys in the Room."

In essence, we're a small, independent production company that tries to call truth to power -- that takes a stand against corporate greed, military overstep, and bad governance.

You can read more about our films here: http://www.jigsawprods.com/
(Apologies for website, which is being updated.)

We've been commissioned by Universal Studios to make a documentary featuring WikiLeaks, and the ideas connected to it. I know many of you probably think this subject’s been done to death -- and so did we, at least initially. Then we started to realize that the coverage out there has been pretty thin -- the big picture is missing. And some of the reporting's been mystifyingly wrong.

We want to use WikiLeaks as a springboard to explore key issues such as information security, digital privacy, and government transparency in the 21st century. It's not a Julian Assange biopic. It's not a Bradley Manning biopic either.

Of course, part of the story of WikiLeaks deals with its protagonists, and how they came to hold the ideals that drive them today. Character is not incidental to narrative, and with Proff in particular, the years he spent in the vibrant Melbourne scene are important in terms of understanding his later goals and ideals.

We've been talking to hacker collectives in Boston, in Berlin, and in the UK. It's clear that each country has its own incubator of ideas – and Melbourne in the late 1980s and early 1990s strikes us as a pretty pioneering, interesting place, with its own distinct character. BBS's were obviously a big part of all this.

Dispel the stereotype of hackers as video-gaming, pornography downloading isolationists. We're looking for people who remember the energy of the scene. The exploration. The fun. We living in a time when non-traditional actors are giving the suits a run for their money, and we want to capture a sense of the spirit.

Our film will be distributed by Universal, for wide release in theatres.

With many thanks,

Alexis Bloom

www.jigsawprods.com

It looks like Melbourne-based hosting company and ICANN-accredited domain name registrar Distribute.IT is fighting for its very survival.

The company has posted this depressing notice on what's left of its Web-site.

It might seem crazy, but Distribute.IT is facing nothing short of an existential crisis because, absurdly, it didn't take offline backups. As the company itself put it:

"Our Data Recovery teams have been working around the clock in an attempt to recover data from the affected servers shared Servers [sic]. At this time, we regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable... our greatest fears have been confirmed that not only was the production data erased during the attack, but also key backups, snapshots and other information that would allow us to reconstruct these Servers from the remaining data."

This is exactly the scenario I discussed with the host of the PaulDotCom Security Weekly podcast Paul Asadoorian during an interview in Risky Business back in episode 188 [42:05].

During that discussion I suggested to Paul that the current information security risk models were ineffective in dealing with high-impact, low likelihood events. You know, like some really determined and destructive attackers burning down a business. Paul's summed it up thusly:

"We can tell management about the risk all day long and they're not going to believe us until it happens to them. If you told an executive at any one of these companies... 'with our current defences in place and the risk management tactic that we're taking now, there's a probability that this could still happen and it would be really, really bad. They're probably just going to say 'yeah, well we think the business can just recover from that,' and what you're saying, Patrick, is that's not always the case, and our current risk management thinking is allowing for these cases to happen where, are you really going to be able to recover?"

From the Distribute.IT page again:

"This leaves us little choice but to assist you in any way possible to transfer your hosting and email needs to other hosting providers."

Distribute.IT has not been able to recover. Furthermore, it seemed the company did not think this type of attack was a serious enough risk to warrant implementing a strict offline backup regimen.

This is just one example of a poor risk decision. But there are plenty of other examples of these sorts of decisions being made in large information technology environments.

Some manager, somewhere, just decides to "wear the risk" because the assumption has always been that the organisation will recover if its risk controls fail.

It's not their fault; often it's the information security "experts" from outside the organisation who actually encourage these sorts of decisions. "Risk management methodologies" are the information security industry's attempt to pretend everything's under control.

It's not, and the Distribute.IT case proves it's not always possible to recover.

Distribute.IT might be a small business in the grand scheme of things, but do we really think we couldn't see similar sorts of existential threats to larger, IT dependent businesses that might not be as risk savvy as, say, a bank?

What about a shipping company? What about a taxi service? A manufacturer? An online retailer?

To what extent are businesses and government departments vulnerable to total annihilation from external attackers?

If anyone's interested in diving a bit deeper into flaws in risk-based information security practices, check out this interview with former NSA Technical Director, Information Assurance, Brian Snow. The interview with him kicks in at around 25:21 and I thoroughly recommend it. Brian is an extremely sharp guy and makes some very salient points.

The Distribute.IT story is a sad one. But it's a great example of what happens when people ignore risks they shouldn't. Sure, you might have tape/offline backups, but are there other risks you're wearing that you shouldn't?

What do you think? Tell us in our forum thread on this topic here.

Lulzsec has featured prominently in security discussions after their hacks of PBS, Sony, Nintendo and a raft of gaming companies in the past month.

There were even more discussions when they took aim at the CIA and went on to proclaim victory.

Patrick wrote an interesting piece which went viral titled: Why we secretly love LulzSec.

His argument was simple:

So why do we like LulzSec?
"I told you so."
That's why.

The article clearly struck a chord with many who added cries of "hell yeah!" all over the twittersphere.

There's a part of me that wants to agree, and scream "we've been telling 'em since 2000... Maybe now they will listen".

Among those who've been "telling 'em since 2000" is industry stalwart Marcus Ranum.

Ranum says a lot of things. Some things I disagree with on principle, and other times he is just being contrarian.

But at BlackHat 2000 he gave a keynote titled "Script Kiddiez Suck" that has turned out to be remarkably prophetic.

The audio is still available online, and the talk is worth hearing if only for the final line: "The Huns didn’t know how to build a Rome -- they only knew how to sack it".

Quoting from his talk:

4:00: "My suspicion is that if we as a community aren't able to change that mindset in house, we're going to have the brutal jackboots of the government going to come along and do it for you... you don't want to be in the situation five years from now where what you've got is some senior guy from the FBI telling you how all those security tools you have been using for years are illegal now. And that's where it's going to go down if you're not careful".

Do we really think the same people who brought us the Patriot Act, Guantanamo and Rendition are not currently licking their lips, and preparing to "save us" from the evil hackers?

Ranum went on to warn:

07:29: "I believe the public at large is getting sick and tired of hacking... It's no longer your companies IS department that has got a problem with people getting into your firewall... It's starting to happen. Joe Average is starting to wake up and realise that the hackers and script kiddies are not his friend and what generally happens in America when Joe Average wakes up is he lashes out in anger by calling up congressmen and so forth and you get stupid knee jerk legislation out of Washington so unless we can clean this problem up.... we going to have Washington helping us with knee jerk legislation.... either way the situation is going to have to change once Joe Average gets involved".

His talk also made specific mention of the folly of attacking news/media sites. "Don't bite the hand that feeds you," he said.

The LulzSec hacks hit all three marks so perfectly, it almost reads like a script (and has to get conspiracy theorists wondering).

1. Target the media: CHECK
2. Target government installations: CHECK
3. Target Joe Average: CHECK

When average people get their Facebook accounts hacked because some site they once used was compromised by some people they never met, anger levels are bound to rise.

Ranum predicted that the next stage would be governments using the change in public sentiment to "take the fight to the attackers", that governments would target the supply chains regulating the creation and use of security tools.

Some good might come out of the recent attacks, and mega-corps like Sony may finally have learned (through crisis) the insanity of not having a CSO role, but Governments rarely leave a crisis unexploited. It's the perfect setup for them to offer us a cure, to step in and "save" us, and in this case, I fear that that the cure will be far worse than the condition we are in.

Haroon Meer is the head honcho at Thinkst in South Africa.

@haroonmeer

Click here to check out the latest Risky Business podcast and here to subscribe via iTunes.

In this week's feature interview we're chatting with Gartner Research Director Andrew Walls about a fascinating research paper released by Microsoft.

According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers.

You can read the article here.

We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article.

But the quote that really got me was this one: "[The attackers] leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar."

The report quoted a security expert familiar with the investigation as saying "it would have been hard to prepare for this type of vulnerability" and this attack is only one of a "wave of more and more sophisticated breaches by hi-tech thieves".

Now I've tested a few Web apps in my time as an information security consultant, so I guess I am moderately sophisticated with these here com-putars by the standards of The New York Times, but as far as I can tell the OWASP Top 10 Number 4: "Insecure Direct Object Reference" is a fancy way of saying "herp a derp, lets put the account number in the URL bar, and just hope no one increments it".

So lets just come right out and say it: If this NYTimes piece is correct, these are not sophisticated attacks.

Sony getting SQL injected? Not sophisticated. Citi account-in-the-URLbar? Not ingenious.

The sad thing is nearly every in the wild, for actual profit cyber-crime is carried out using bog-standard, basic flaws that have been well understood, documented, taxonomised, discussed, weaponised and used in the wild for years.

Anyone from a 13 year old kid to the Russian mafia can and will break into almost anything in minutes using common garden flaws that even the slightest attempt at planning an approach to the foothills of the snowy, cloud-lost peaks of Mt Best Practice would have spotted.

If, as per the reports, Citi got 200,000 customer records stolen through changing the account number in the URL string, then it's almost certain it never got that Web site tested for security.

Can we all just say that out loud? It's possible that the world's largest financial services network didn't get this system tested for security.

The NYT breaks it down for mom-n-pop: "Think of it as a mansion with a high-tech security system -- but the front door wasn’t locked tight."

No: They. Didn't. Test. It.

Hell, even if you fired an automated webappsec tool at something like that, you'd find it. Same as with all Sony's SQL injection. These are not "high-tech security systems" that aren't "locked tight". If the NYT report is accurate, this is straight out negligence.

In Maine last week, the judge in the case of Patco vs Ocean Bank concluded "the law does not require the bank to implement the 'best' security measures available and that the bank is clear to customers when they sign up about the level of security it provides".

Sure, perhaps expecting diamond-studded RSA tokens when you sign up for Internet banking is a bit much, but how about basic security testing?

Companies like Citi aren't the only class of sinners. Recently a large, name-brand software vendor admitted to our mutual customer that it, too, had never actually commissioned external penetration testing of its security focused product.

The product is marketed as an enabler of robust multi-tenanted security boundaries. The software maker had never tested it: "Nope, not at all, why do you ask?"

One of the bugs involved just typing the name of another customer into an input box, instead of clicking your own from a list.

Or perhaps you'd like more irony? How about arbitrary file read via ../../../ in the URL bar in Trend Micro's "Data Loss Prevention Virtual Appliance"?

Your bank gets owned because computers are sophisticated. Computers are hard. Building, deploying and maintaining secure business computer systems is fiendishly hard.

But, NYTimes, don't tell me that Citi lost 200,000 customers worth of information because of a sophisticated attacker. Tell me the truth: it lost the information because it failed to test its systems. It failed to take even what limited basic options we as an infosec industry can offer -- the OWASP Top 10, some basic Web app penetration testing, and perhaps hiring a security consultant who might better prepare the company against an earth-shatteringly sophisticated attack involving the alteration of an account number in the URL bar.

TL;DR Typed account number into browser, owned bank.

Editor's note: The funny thing is we hear good things about Citi's in-house pentesters. Either the NYTimes article is incorrect, or somehow this bug just slipped through to the keeper. We have no idea. It's hardly the point: Even if Citi didn't get owned this way, plenty of others do and it makes us all very sad pandas at Risky Business HQ. :'(

In this week's feature interview we're chatting with Neal Wise of Assurance.com.au about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not.

Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold.

So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others.

They're posting proprietary developer code. They're bringing back Tupac and Biggie. They're advising Nintendo on more secure httpd configurations. And they're issuing funny press releases via Twitter and Pastebin.

In the last few weeks these guys have picked up around 96,000 Twitter followers. That's 20,000 more than when I looked yesterday. Twitter has given LulzSec a stage to show off on, and showing off they are.

The Internetz, largely, are loving it.

It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts.

I wrote my first article on information security around May 2001. It was about the Sadmind worm and it ran on the letters page of the IT section of The Age newspaper in Melbourne.

"Geez," I thought to myself. "If awareness isn't raised about the unsuitability of these computamajiggies for srs bizness, we could encounter some problems down the track."

So for the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea.

No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak.

Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!"

There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us.

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

The mainstream media are having fun criticising Sony for its poor security, but do we honestly think for a second that the XBox Live network can't be similarly pwnt? (I know the PSN breach hasn't been pinned on LulzSec, but the point stands.) Is there any target out there that can't be "gotten"?

State-sponsored attackers, likely Chinese, have even wormed their merry way through the networks of the US military industrial complex, buggering off with the blueprints for the next Lockheed Martin death-ray-lasermatron or similarly diabolical, geo-strategically altering super-weapon.

Yay! Human rights abusers with US-designed military technology! w00t w00t!

Thanks, RSA. <3

Don't even get me started on them. As BlackHat organiser turned US Department of Homeland Security advisor Jeff Moss Tweeted yesterday, "When I heard RSA had a shiny new half million dollar HSM to store seed files I wondered where had they been stored before".

We're relying on these boneheads to lock down our most sensitive R&D? Shoot me now.

What about privacy? Oh, well that's out the window too. Did you hear Facebook has facial recognition now? Great, huh? Plus the bloatware that is Facebook's Web application is full of bugs anyway, so we really do just have to assume all our Facebook accounts are pwnt. Our telcos are owned, our mobile devices track us, as the iPhone/Android tracking scandal showed us. Privacy is dead.

So why do we like LulzSec?

"I told you so."

That's why.

Check out the latest Risky Business podcast here.

On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs?

On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google.

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. We've already posted two interviews with Microsoft peeps about security issues, but we're posting this full talk as well.

This is a full presentation by AusCERT's day three keynote speaker Ross Anderson.

Tony Oliver and the Pubcast crew interviewed me about the talk I did at ITWeb's Security Summit in South Africa the other week.

My talk was all about militarisation trends in the digital security field. I drew parallels between the Cold War and what's happening now. You can find it here.

Thanks to Tony and the rest of his gang for having me on their show. It's good to be on the other end of an interview every now and then!

You're about to hear one of the highlights of AusCERT's annual conference -- the speed debates! Not to be taken too seriously, the speed debate happens at the end of the con -- it's a chance to have a laugh and shed some lighter perspectives on the security discipline.

This podcast is a complete presentation by APNIC's Geoff Huston.

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. They're general chats with Microsoft peeps about security issues.