The Victorian Auditor General has wrapped up its investigation into SCADA security in the transport and water sectors down south.

It found major problems that will surprise absolutely no one. In short, four out of five of the installations examined were nightmarishly insecure. It also found a real lack of awareness among the operators of critical infrastructure that they even have a problem.

A lack of security understanding was on display in New Zealand recently when a spokesperson for Mighty River Power proclaimed the installation was immune to the Stuxnet malware because "we don't run Windows 2000... which we understand is the doorway for the virus".

I'd guess that in some cases more effort is put into securing billing websites for electricity providers than into securing the infrastructure itself, and this report seems to bear that out.

Most pros in the information security industry has known about these problems for a long, long time, but it's great to see them getting some attention at government level.

You can download the PDF from this page here.

It makes for fascinating reading. The text has an interesting feel and tone to it -- a mixture of disbelief and panic shine through.

I tried getting someone from the auditor general's office to chat with Risky.Biz, but the office has a policy of not commenting on reports.

The office and its staff are shielded from defamation action when writing official reports, but any commentary to the media is not protected.

The timing of all this is borderline freaky in light of all this Stuxnet hoo-ha.

Anyway, have a read yourselves and tell us what you think by commenting here.

NOTE: The original post accidentally linked through to episode 169 -- fixed now!

It took just three days for a vulnerability in the Zeus botnet command and control software to be patched against a vulnerability disclosed in a security researcher's blog posting.

USA-based researcher and apparent Google security engineer Billy Rios published a detailed blog post on vulnerabilities he discovered in Zeus's command and control server.

Armed with details of the vulnerability, attackers could seize botnet command and control servers. Attackers could be criminals seeking to seize other organisations' botnets, or security researchers looking to disable botnet command and control servers.

Zeus is a malware package that targets Internet banking accounts and digital certificates. Sold on the underground, the Zeus botnet "kit" contains a user manual and all the software ingredients enterprising criminals need to get started building their botnets.

Some malware researchers say Zeus is currently the most common malware on the Internet.

Rios conducted a security audit on the command and control web application that "ships" with the Zeus kit, only to find vulnerabilities that could be used to compromise the C&C server.

His full disclosure of the bug led some to criticise Rios for assisting criminals better secure their malicious software.

A source tells Risky.Biz the "patch" was first discussed on Zeus-related IRC channels by Pierre Caron.

What do you think? Should Billy Rios have disclosed his findings? Let us know by clicking here.

To hear more about this story tune into tomorrow's edition of the Risky Business podcast. RSS feeds are here.

This week's feature is a chat with industry legend Dan Geer about Stuxnet. The more we find out about Stuxnet the more it looks like something ripped out of a spy thriller. It used four 0day bugs, two stolen code signing keys and infected a bunch of systems in Iran.

This week you'll hear from McAfee CEO Dave DeWalt and CTO George Kurtz. Since the planned merger between Intel and McAfee, a lot of people have questioned the deal's logic. DeWalt and Kurtz front Risky Business to defend the acquisition and outline what it could mean for the security technology of the future.

On this week's show we're taking a look at Flash applications. With tonnes of thick client apps being replaced with apps built on Flash, we thought we'd have a chat to Azimuth Security's Alex Kouzemtchenko about what some of the pitfalls in developing Flash apps are.

On this week's show we're chatting with F-Secure's Jarno Niemela about some of the issues with Authenticode. He'll tell us about one fascinating case where a piece of malware actually carried a valid signature from a real company... stolen keys, right? As it turned out, that company didn't make software and had no idea what an Authenticode cert actually was. Jarno got to the bottom of that little mystery and tells us all about it after the news with Adam Boileau.

In this week's show we take a look at all the big news events over the last week. A newly rediscovered DLL hijacking technique has made some waves over the last seven days, as has the arrest in India of an e-voting machine security researcher.

This week's guest is Felix "FX" Lindner. A well known researcher, FX has spent more than his fair share of time crawling around the innards of Blackberry devices.

Last Tuesday was an unremarkable day. I awoke to the usual E-Mails IRC chatter and RSS reading, the most noteworthy of which was a small cluster of ZDI advisories addressing issues in WebKit.

Then I spotted the following, unremarkable tweet from @davidfarrier:

"some chap in china just hacked my gmail. and just to tell people about iphone 4s. as if people didn't know already. silly bugger."

Quickly followed by this:

"seems like lots of us twits have had our gmails/hotmails hacked this week. are you on the "hack" list? i certainly was."

The tweets in themselves were unremarkable. What was interesting was the amount of chatter surrounding the keywords "Gmail" and "Hacked". Everyone I spoke to throughout the morning knew someone who had been compromised or had been sent badly constructed spam from someone's legitimate Gmail account.

An initial look around suggested that thousands if not tens-of-thousands of accounts have been hit.

So what was going on?

Well, simply put, every "hacked" Gmail account was logged into using valid credentials that appeared to have been previously stolen. Once the attackers compromised the accounts, they drafted emails to the victims' contacts with an email along these lines:

Dear friends:

Last week ,I have Order china Samsung UN55B8000 55-Inch

this w e bsite:dhsellso.com

I have received the product!

It's amazing! The item is original, brand new and has high quality, but it's much cheaper. I'm pleased to share this good news with you! I believe you will find 7what you want there and have an good experience on shopping from them.

Regards!

Presumably this was the work of a script with previously compromised account details purchased from a botnet or phishing operator. There's nothing remarkable about it at all.

In each sample that I have looked at, the source IP address of the Gmail session was the unremarkable China located 115.49.90.219 and the text was identical (with exception to the product being pimped).

One possible theory that has been raised by several people I have talked to (and this is, just a theory), is that the BGP "misroute" earlier in the year captured a bunch of logins (HTTP, POP3, IMAP) to Gmail services and they have been harvested as apart of this attack.

Personally, I find it hard to link the two together. The reason why I find it difficult to believe is because I think that an operation capable of dragging in 37,000 networks (and managing to successfully sniff the bridged the traffic), would not blindly sell the acquired data to some crappy low-level scam operation.

That sort of capability would surely attract higher bidders.

So let's continue to work with the unremarkable theory of buying some stolen Gmail credentials from a basic botnet operation to log in and send spam.

So what was the deal with the spam? The target site was dhsellso.com which in itself is also unremarkable in many ways. It doesn't appear to host malware or phish people for details. It is reasonably well constructed and appears patched against known flaws. It is, by all accounts, just a good ol' fashioned "too good to be true and there for is fraud" site.

Funnily enough, the person(s) behind dhsellso have struck before and have registered at least two other sites at the same time as dhsellso.com presumably for nefarious purposes (dbyers.com and dbyers1.com).

So what is remarkable about all this? How successful the operation has been.

This is for several reasons:

1) Harvested email lists traditionally sell by accuracy. 100,000 email addresses at 70% accuracy will always sell for more than 100,000 email addresses with 60% accuracy. In this case, by using the victims address book, you can be sure the accuracy of the target email addresses would have been high (maybe 90+%?).

2) Dhsellso.com succeeded in getting their message out beyond e-mails. Systems such as blogger.com and posterous allow users to configure "magic" or hidden email addresses that when emailed, generate blog posts. Naturally, many blogs around the world started showing posts with dhsellso.com email subject and body on Google almost straight away.

3) The "junk" rate of the generated emails within Gmail / Google Apps has been pretty "low". Presumably because emails originated from valid Gmail HTTP sessions & accounts.

4) Given the fact that all emails would have appeared from trusted people, I would imagine the click rate might have been pretty high

5) The fact that no one gives a shit. Pretty much everyone I spoke to who had been hacked simply shrugged, changed their password and moved on. Like getting your Gmail account owned happens every other day.

Seeing such remarkable results from such unremarkable campaigns is a tad depressing.

Now, back to my unremarkable day.

This week's show is a cracker -- we're joined by IOActive's Barnaby Jack.

On this week's show chat to H D Moore about his research into the security -- or lack thereof -- of the VxWorks embedded operating system.

This week we take a look at Verizon Business Security Solutions' data breach investigation report. It declares APTs are nothing more than marketing hype! Polly Waffle!

This week's show is a cracker, and it's brought to you by our brand spanking new sponsor Research In Motion, makers of the Blackberry.

The online customer database of a New Zealand-headquartered pizza store chain has been compromised.

Risky.Biz understands multiple intruders have compromised Hell Pizza's 400mb database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries.

The company operates 64 stores in New Zealand, three in England, nine in Australia and one in Ireland.

The database entries include the full names, addresses, phone numbers, e-mail addresses, passwords and order history for the company's customers. The information is "doing the rounds" across New Zealand.

Some who came into contact with the database contacted the company last year, posing as "concerned customers", but received no acknowledgement of the data breach. They fear the database may have already found its way into the wrong hands.

When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

While the database has become a valuable tool for security professionals in New Zealand, they believe the exposure of the data is exposing the company's customers to spam and other attacks.

It's possible that many users have recycled their passwords between their e-mail, PayPal, TradeMe, banking, eBay, Hell Pizza and other accounts. Even if just a few percent of the company's customers are recycling passwords, the database is worth obtaining, they say.

Downloading the Hell Pizza database, apparently, was very easy.

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".

Another penetration tester says the Hell Pizza database is an excellent example of "non critical" information that could still be used by attackers for great benefit.

The Chair of New Zealand's Internet Task Force, Paul McKitrick, told Risky.Biz that he had heard rumours of the database circulating around the security community as far back as last year.

"A database like this of New Zealand users' personal information provides miscreants with a valuable list of commonly used, New Zealand-centric passwords which could prove useful in brute forcing passwords," he said.

"If Hell Pizza were aware of this then they should have notified their customers. I do not know what actions Hell Pizza took, but I was a customer and I have never received any notification that my personal information has been compromised."

McKitrick, the former head of the New Zealand Government's Centre for Critical Infrastructure Protection, added organisations that collect and store the personal details of their customers, have a responsibility to notify their customers if they believe that there has been a breach of their personal information.

"This enables customers to do something about mitigating their own personal exposure, such as ensuring that the compromised password was changed everywhere it had been used, because people frequently reuse their passwords."

Hell Pizza reported the breach to police after Risky.Biz provided it with some database excerpts it could verify.

So here's some food for thought: According to a report in the Washington Post, 22 US Government departments and 143 private companies are involved in top secret "cyber operations" programs.

The numbers were revealed as the paper published the results of a two-year investigation into the post 9-11 military industrial and intelligence complex in the United States. They seem to confirm the emergence of a "military digital complex".

More on that in a bit.

The investigation is said to have caused minor panic in the intelligence community in the United States, and you can see why. While the newspaper hasn't unveiled any secret information, per se, some of its revelations are staggering:

• 854,000 Americans hold top secret security clearances.
• As many agencies and contractors are involved in top secret cyber ops as are involved in top secret border control.
• 1,271 Government organisations and 1,931 private companies work on intelligence, counter terrorism and homeland security related programs.

Cyber Operations, as defined by The Washington Post, encompasses "the fields of computer network attack, computer network exploitation, and computer network defence".

The category also includes "traditional electronic warfare" intended to knock out electronically dependent equipment. EMP anyone?

There's an interesting table here that shows where the money's going.

I discussed the emergence of "militarised hacking" nearly two years ago with Dan Geer, the Chief Information Security Officer of In-Q-Tel, a strange organisation that essentially acts as the CIA's private investment arm. I should stress here that Dan was not being interviewed as a representative of In-Q-Tel, just as an infosec luminary.

The topic of the interview was the emergence of the "military digital complex".

US President Dwight Eisenhower coined the term "military industrial complex" during his farewell address in 1961. His speech warned the United States was in danger of developing a war-dependent economy.

Could the same happen in the digital arena? I asked Geer in 2008 if we were seeing the emergence of a "military digital complex".

"There comes a point at which the legitimate questions of nation statehood, of sovereignty, also get confabulated with the interests of what had been an industrial world and is now a digital world," he answered.

"It should come as no surprise to us I think, that those who... profit from war in materiel and machinery will be supplanted in time by those who profit in war from digital goods."

Click here to listen to that interview.

What The Washington Post has done is as good as confirm the emergence of this military digital complex.

Increasingly I'm hearing of exploits, for example, being hoovered up by US intelligence agencies. People are disappearing into opaque organisations to do work they can't talk about.

What we're talking about here is the militarisation of computer hacking, something I find ironic given the counter-culture and rebellious roots of "the scene".

It's natural, I suppose, for a government to develop an offensive and defensive "cyber ops" capability.

But when does a ramp-up in capability turn into an arms race? How can we act surprised when we read reports of China building a cyber-army when the US Government has 165 separate entities working on cyber ops programs that are classified top secret?

On another note, how much money is going into the development of this sort of capability due to the inherent insecurity of civilian digital technology used in both commercial and industrial applications? Wouldn't we be better served by actually securing the world's civilian digital infrastructure? That way we wouldn't need an arms race.

It's my feeling that we should watch what the US Government does here with a keen eye. I fear a new arms race -- a digital arms race -- could be emerging. That's bad news for everyone -- it will hoover up talent and technology to the detriment of our industry, for starters.

We cannot compete with military budgets. Talented infosec researchers and developers will be sucked into the war machine instead of working on technologies that can benefit wider society.

Watch this space closely.

On this week's show we take a fresh look at the insider threat in light of the news, here in Australia, that criminal syndicates are paying up to $40,000 to bribe service station attendants into helping them skim cards.

I am talking about the coverage of that story, where the reporting has largely been horrible, gullible, naive crap.\xa0 Sorry folks, but yes, that includes coverage from people I like.\xa0 If you believe a lot of what you read, you would think that a lot of people were "duped" into following/friending/linking/whatevering Ms. Sage.\xa0 This shows a gross lack of understanding of both social networking and the security community- both on the part of the journalists, and to a lesser extent, the researcher.

On this week's edition of the show we take a look at the security of Apple's iTunes store. If you haven't heard the news, it seems a rogue app developer was able to bill Apple customers for apps they never bought.

US soldier Bradley Manning has been charged with disclosing classified material to whistleblower site Wikileaks.

But it's what he hasn't been charged with that's interesting.

Since the news of Manning's arrest broke there has been much speculation about the fate of 150,000 diplomatic cables the young soldier is alleged to have stolen.

However, according to the charge sheet, only 50 diplomatic cables were disclosed to an unnamed third party.

In the charge document the US government alleges Manning did "willfully communicate, deliver and transmit the cables, or cause the cables to be communicated, delivered, and transmitted, to a person not entitled to receive them".

While the charges allege Manning also stole 150,000 diplomatic cables, there's no mention of him leaking them to a "person not entitled to receive them".

This doesn't actually tell us whether or not Manning has leaked the 150,000 cables. What it does tell us is the US Military does not possess enough evidence to charge Manning with leaking that material.

Could it be that Wikileaks is sitting on those cables, withholding their publication until Manning's legal problems are over with? Or could it be that Manning was arrested before he could leak the 150,000 cables he allegedly stole?

It's impossible to say. But the omission of a charge involving the leaking of that information is certainly interesting.