Podcasts

This week's feature interview is a chat with Verizon Business Security Solutions' Bryan Sartin about the annual Data Breach Investigations Report, or DBIR.

Risky Business covers the report [pdf] every year.

It's basically a post mortem of the previous year -- what sort of records were breached and by who? What were their motivations? What were their techniques?

The US Secret Service cooperates with the report, as does Australia's own Federal Police. When you throw in Verizon's own caseload, you wind up with something approaching an authoritative report. It's rare for a vendor to actually put out something this good.

The 2012 report, which focuses on 2011 incidents, arrived at a very interesting conclusion -- in 2011, more records were breached by hacktivists than criminals.

In this week's sponsor interview we chat with RSA Australia's acting country manager Geoff Noble. Geoff normally heads up sales, but don't hold that against him, because as you'll hear he's actually got a deep understanding of trends in enterprise security.

I got Geoff on the phone earlier this week and asked him to tell us what trends emerged at the most recent RSA conference in San Francisco.

This week's feature interview is with Alastiar MacGibbon, CEO of CREST Australia -- the Council of Registered Ethical Security Testers.

In the UK CREST is a big deal, and now it's on its way to Australia and NZ. There's even a similar organisation in the USA that is doing things the CREST way. So this approach could actually become a worldwide, accepted accreditation for security testers.

I know one extremely capable tester who flew over to the UK to take the CREST tests and wound up flunking the team leader portion of one of them, so it's not your typical rubber stamp.

But! With such a lack of talented security testers out there, it seems possible from where I sit that CREST may have to lower its standards to get enough people certified. And security is such a fast moving discipline -- how will we ensure that CREST certified testers have current skills?

That's this week's feature.

Adam Boileau, as always, stops by to chat about this week's news headlines.

The Australian government has announced the establishment of the Council of Registered Ethical Security Testers, or CREST.

CREST is a pretty big deal in the UK. Over there it's an extremely serious series of tests that can give hiring organisations a semi-reliable indication that a tester knows what they're doing. If you don't have your CREST certification, there's work you simply can't do.

But who knows what it'll morph into here -- the jury isn't just out, it hasn't even been empanelled yet. Government involvement isn't usually a good start.

You can read the Attorney General's announcement here.

Interesting to note that former Australian Federal Police agent (that was years ago now) Alastair MacGibbon is the CEO of CREST Australia.

He has zero background in security testing but his appointment makes sense -- it wouldn't be politically possible to appoint a CEO from a professional services organisation.

This way there's no conflict of interests.

On this week's show we're catching up with Mr. Popular himself, Adrian Lamo.

Adrian is best known as the guy who turned in alleged Wikileaks source Bradley Manning, but he also has some very interesting perspectives on the LulzSec arrests.

This week's show is sponsored by Tenable Network Security! In this week's sponsor interview Tenable product Manager Jack Daniel will be along to chat about a recent Tenable Webinar that was all about the internal politics of security. If you're struggling to get your colleagues on side, you want to listen to that interview!

Adam Boileau, as always, joins the show to discuss the week's news.

Global law enforcement swooped overnight, arresting a handful of online miscreants who, between them, have generated more headlines than the rest of the online underground put together.

That's right, LulzSec has been comprehensively pwnt. Some were arrested yesterday in raids, others, arrested some time ago, had their indictments unsealed by the courts.

But it was the news that online Anonymous hero Sabu, aka Hector Xavier Monsegur, had been acting as an FBI snitch since August 2011 that came as a shock to many.

It shouldn't have.

Back in September 2011, Sabu returned to Twitter after a one month hiatus as rumours of his arrest swept the Internet. He had indeed been arrested and flipped. By the time he logged back on to Twitter he was an active asset of the FBI.

The game had been up for Sabu since June 2011 at the latest. His identity had been well and truly exposed, with multiple pastebin posts unmasking him.

You would think anyone with half a brain would keep their distance from a high-profile target who was rumoured to be arrested, disappeared for a month, then reappeared.

But no. Everyone stayed tight. That's how the attackers allegedly behind the HBGary Federal attack, Stratfor's mail leak, the law-enforcement con call wiretap and attacks against Sony Entertainment have all wound up in the clink.

None of this matters. The real play here could be for Wikileaks and its founder Julian Assange.

We know these are the people who stole Stratfor's e-mail. This is the e-mail Wikileaks recently began publishing and releasing to its "media partners". We also know that this particular group of hackers had been completely and utterly compromised by the FBI.

Is it possible that the idea of passing Stratfor's mail on to Wikileaks, instead of just publishing it to the Internet, was in fact the FBI's idea? This group published HBGary's stolen mail directly to the Internet, why change now? Could it be that Sabu, at the behest of the FBI, was advocating a different approach?

You would think that the negotiated handover of illegally obtained data could open up all sorts of conversational possibilities. If a Wikileaks staffer asked these anon contacts to illegally obtain more information from other targets, I imagine that would be legally problematic.

The trick for the US Department of Justice could be trying to portray Wikileaks as the document laundering arm of Anonymous.

You can bet your bottom dollar that any communications between Wikileaks and this group were monitored, but it will be some time before we know if prosecutors can make hay from them.

Listen to Wired.com's news editor Kevin Poulsen discuss the Stratfor email dump. (24 mins in.)

Patrick Gray on Twitter.

This week we'll be joined by Wired.com's news editor Kevin Poulsen for a chat about the big news of the week -- Wikileaks' gigantic dump of private intelligence contractor STRATFOR's allegedly stolen e-mails.

This week's show is sponsored by Adobe, and Adobe's head of product security, Brad Arkin, will be along to discuss the way ISV's view white-hat research. You might love your latest sandbox bypass technique, but he doesn't! That's this week's sponsor interview with Adobe's Brad Arkin.

As always, Adam Boileau stops by for a check of the week's news headlines.

In this week's feature interview you'll hear part two of my interview with In-Q-Tel's CSO Dan Geer. We chat with Dan about electronic surveillance, the state, fascism and even the "digital Amish".

He is, as always, fascinating.

This week's edition of the show is brought to you by Hacklabs, an Australian penetration testing firm. Some homegrown support! Thanks, guys.

Hacklabs very own Chris Gatford will be along in this week's sponsor interview to have a chat about Glenn Mangham, the Brit who's now serving a prison term for hacking Facebook despite his claim to be all very, very white-hatty.

Adam Boileau, as always, checks in to discuss the week's news headlines.

On this week's show we chat with information security legend Dan Geer about traffic analysis and "digital exhaust".

Everything we do online produces a tonne of metadata. What can be inferred through the analysis of this metadata and who's likely to analyse it?

Part one of my chat with Dan Geer is this week's feature interview.

This week's show is sponsored by RSA Security, the security division of EMC.

So in this week's sponsor interview we're chatting with RSA's Mason Hooper about the company's 2012 Cybercrime Trends Report. Is Zeus still Zeusy? Still Godlike? We'll find out at the back of this week's show.

Adam Boileau, of course, drops in to discuss the week's news headlines.

On this week's show we're taking a look at the DMARC anti-phishing effort. we mentioned it on the news last week, but we're going to get into it properly with our good buddy Paul Ducklin. He's along after the news.

This week's show is sponsored by Tenable Network Security.

Tenable's chief executive Ron Gula will be along in this week's sponsor interview to chat about the theft of Symantec's source code. He doesn't think it's a world ender, and you know what, he's probably right! He's along after this week's feature interview.

There's also plenty of news to discuss with our news co-host Adam Boileau!

You can "like" Risky Business on Facebook here.

Find Patrick Gray on Twitter here.

Symantec claims customers using its endpoint protection and antivirus products are not at risk following revelations the company's AV source code was stolen in 2006.

But when it comes to providing specifics, Symantec is guarded.

Following yesterday's blog post, Symantec has claimed recycled source code from its corporate antivirus product of 2006 makes up only 5% of current endpoint protection software.

But it won't say which 5%.

Furthermore, 5% of Symantec's latest bells-and-whistles endpoint security products is a lot of code; basic corporate AV solutions from 2006 were pretty small by comparison to today's bloatware. So it could well be that a large proportion of the stolen code is actually in the current product. THAT's the percentage I'd like to see.

Here's the company's response to yesterday's questions, and below that my lingering unease about the company's answers.

We have definitely analyzed the 5% of the code and have determined it to be benign enough in nature not to present a security threat to current Symantec and Norton users if an attempt was made to exploit it for the purposes of a cyber attack. Furthermore, as mentioned in the previous e-mails, the combination of features in the current Symantec and Norton software would protect customers against an attack. For competitive purposes and protection of our intellectual property, we are not going to get into the specifics of the exact functionality of the 5% of that code.

Given the visibility of this incident, i.e. there is consistent monitoring of our communications by hackers and the Anonymous group, we're hesitant to provide specifics on the size of the code for NAV CE and SEP 10.2 (hence someone may be able to tell what they have or don’t have based on the size alone). However, you are correct that the total amount of code for Symantec Endpoint Protection is demonstrably larger than NAV CE, again, if for no other reasons than to accommodate all of the new features and functionalities layered upon over the previous six years.

More technical readers would know that the claims that extra features in the company's newer endpoint protection software would make exploitability impossible are quite simply bunk.

Sure, they might provide some defence-in-depth protection against malware, but I fail to see how a new, whiz-bang file reputation ranking engine will prevent targeted exploitation of vulnerable AV scanning engine code, for example.

Further, Symantec has stated it analysed the relevant code and determined it's not vulnerable, but won't say which chunks of that code have found their way into current products. Why? Surely if the code is good it can say which component is still being used in current source trees.

Also, calling Anonymous a "group" is a bit silly, especially in this instance as it was a bunch of people calling themselves the Lords of Dharmaraja who claimed credit for the attack. Anons have just been chuckling along with them. For a company like Symantec to conflate this compromise with the activities of a broader meme/movement like Anonymous may be convenient for PR purposes, but it's not really accurate.

So, brass tacks time: It's unlikely the Symantec AV source code that's doing its rounds over the Internet is going to really help attackers out there in a meaningful way. That said, I get the impression that Twitter user @GMKnowBoulder was right yesterday when they said Symantec seems stuck in the "quantum void between the engineering force and the marketing dark side".

So who out there can be bothered bindiffing NAV CE circa 2006 against current endpoint protection products?

Find Patrick Gray on Twitter.