Podcasts

UPDATED WITH COMMENT FROM SYMANTEC BELOW

So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent.

This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source.

In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened.

Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible.

The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well.

When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out.

Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least.

But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying:

To be correct, the code is for Norton Antivirus Corporate Edition, i.e., what used to be used by enterprises. As it is, customers face no security threats if the code is posted. It's a product that is no longer available, supported, or sold.

The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.

That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software?

Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it?

That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers.

I'll be firing off some questions to Symantec PR on this and we'll see what they say.

UPDATE: The PR gnomes at Symantec have issued this response:

"Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.

As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions.

If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code."

I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc.

Will hopefully have an update soon.

Find Patrick Gray on Twitter.

An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems.

The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here.

It’s interesting for several reasons. Firstly, the reason we know about this event is because it was disclosed in the company’s SEC filings. Secondly, Verisign is a very important company when it comes to the issuance of digital certificates. And finally, the story is made all the more fascinating by the vagaries of the disclosure. The filing is a tad light on specifics, like what data was actually "exfiltrated".

It’s also a sad sign of what's become of the technology media. The breach was disclosed in an SEC filing back in October, but has only hit the news now.

Symantec says there's no evidence to suggest the breach affected its SSL systems, which, if true, means the story as reported is a bit of a beat up.

I suspect this breach is unlikely to be of the magnitude of the RSA hack or Aurora attacks against Google. If anything it tells us more about the sorts of disclosures we're likely to see in future SEC filings in the USA.

But who knows? Sometimes these stories are slow burners...

Either way, the fact that no one would be surprised if Verisign's SSL boxes got pwned is proof enough that browser manufacturers need to redouble their efforts in protecting users from man-in-the-middle attacks performed with illicitly issued but "technically legitimate" certificates. I believe Chrome already pins certs for most major websites and IE might already do it too.

What does your gut feel say? Drop us a comment!

Find Patrick Gray on Twitter.

Risky Business is back for 2012! This week's edition of the show is sponsored by Adobe.

And as it's our first week back we're focussing mostly on catching up on the news of the last six weeks or so. Between McAfee turning its customers into open relays -- that wound up being used by spammers -- and Symantec realising its source code walked six years ago, it's been a cracking start to the year.

Risky Business news co-host Adam Boileau joins the show to run through the key highlights of the last six weeks.

Also in this week's show, Adobe's product security chief Brad Arkin joins the show to talk about the virtues of silent patching. Brad's been on board with Adobe since 2008 and says the company has actually made progress in the product security arena. Have a listen to him and judge for yourself!

The production of this week's show did not go smoothly. My SSD died, with the entire, unedited show on it. Two people really, really helped out and saved this week's podcast.

Adam Pointon donated a couple of hours of his Tuesday evening and managed to recover the interviews from the dead drive. Massive thanks to him. Jonathan Wrigley of Xero Computing in Calrton let me use one of his display systems to finish cutting together the show.

So big, big thanks to both of them. If you live in Melbourne, by all means pop into Jonno's shop and pick up some stuff for your Mac. Enjoy the show!

This is a special summer edition of the Risky Business podcast. There's no feature interview or sponsor interview -- just Adam Boileau and Patrick Gray discussing the most interesting security news items of the last three weeks, including:

• Did Persians pwn Drones?
• Bradley Manning faces court
• HP to face printer vulnerability lawsuit
• Could the USA's SOPA law break DNSSEC?
• GlobalSign says its CA systems were never compromised
• New guidelines for issuance of SSL certs
• Microsoft to silently update IE in 2012
• Fun fact: Ukranian general arrested for online fraud
• Putin's Twitterbots drown anti-regime hashtags
• Mexican government dismantles Los Zetas' massive comms network
• CNet's Download.com bundles crapware with nmap

I thought we'd just have a bit of a fun feature for the last show of the year. It's an interview with Edith Cowan University's Peter Hannay about a presentation he did at Ruxcon back in 2010, all about turning Amazon's Kindle into a completely free internet access device that works all over the world.

That's right, no subscriber fees and 3G access in a zillion countries.

He'll tell you how you can hack your kindle to use it as a completely free USB Internet access device pretty much anywhere in the world. No more data roaming for you! W00t w00t! SSH everywhere!

Astaro's Angelo Comazzetto takes a look back on Sony's 2011 woes in this week's sponsor interview and Adam Boileau joins us, as always, to discuss the week's news.

Peter Hannay's Kindle code can be found here.

McAfee Australia leaked 971 customer e-mail addresses in a botched e-mail marketing campaign last week.

The addresses of the recipients were placed in the visible TO field instead of the BCC field.

It's an all-too-common mistake, made especially embarrassing for McAfee because it's not the first time in recent memory something like this has happened.

In July, 2009, the company accidentally attached the full contact details of 1,400 customers to a marketing mailout.

The latest e-mails to leak are those of enterprise and government contacts, not consumers.

In response to a query from Risky.Biz, McAfee released the following statement through its public relations firm Spectrum Communications:

Late last week McAfee sent an email inviting a small percentage of McAfee customers, based in New South Wales, to its Enterprise Mobility Management webinar. Due to human error and contrary to McAfee policy and procedure, the email inadvertently revealed the recipient email addresses.

This error has been investigated and we are in the process of contacting the people affected to apologise, provide information and request that recipients delete the email addresses we have shared in error.

We are taking this opportunity to remind all staff of the importance of our processes around customer communications.

This sort of thing is always so embarrassing...

Follow Patrick Gray on Twitter.

In this week's feature interview we're chatting with Google's Ben Hawkes about the risks posed to browsers by new developments in the way they handle graphics. WebGL and Flash Stage3G allow Websites easy access to graphics cards but introduces a bunch of potential security issues. What if there's a bug in your graphics card driver? Can you then exploit that through the browser?

That, for want of a better word, would be... bad.

It's a topic that's been picking up a bit of coverage over the last six months or so, but is it overhyped?

In this week's sponsor interview we're hearing from Eddie Schwartz the Chief Security Officer of RSA security. We're chatting to him about the notion that keeping attackers out of networks just isn't realistic anymore. CSOs need to cop to that fact, Eddie says, and start looking at some fresh approaches.

We have a good chat about some of the Jericho Forum's security principles [totally legit PDF], too, and how consumer devices entering the enterprise is actually driving a deperimiterisation approach to infosec.

Adam Boileau, as always, drops in for the week's news headlines!

On this week's podcast we take a look at doing some fairly unnatural things to the OS X operating system. We'll hear how to best rootkit OS X and also how messing with EFI bootloaders can be a whole bunch of fun in terms of installing persistent rootkits in PCI firmware.

That's this week's feature interview, with our buddy Loukas from Assurance.com.au.

Also this week we're joined by Tenable Network Security's product manager Jack Daniel in the sponsor interview. He'll be chatting to us all about Dan Geer's new cybersecurity research agenda.

Adam Boileau, as always, joins us to chat about the week's news.

On this week's show we're talking Near Field Communications (NFC) with New Zealand's Nick von Dadelszen.

NFC is set to become the next big thing for micropayments, alas it looks likely there's potential to conduct all sorts of mischief using NFC-equipped mobile phones like Google's Nexus S.

NFC equipped phones are RFID readers, and Nick reckons we're about six months away from being able to use them as card emulators as well. Let the fun begin!

Also this week, RSA Australia's Mason Hooper joins us to discuss Apple's decision to expel vulnerability researcher Charlie Miller from its developer program. Miller had snuck a dodgy app into the company's official appstore that was capable of running unsigned arbitrary code. Nice trick. Apple unimpressed. But did they overreact? That's this week's sponsor interview.

Adam Boileau, of course, is this week's news guest.

NFC on mobile phones is a new phenomenon and opens a lot of possibilities for research, particularly when talking about mobile payment platforms. Lateral Security's Nick discusses the good, the bad and the ugly of mobile NFC.

RAW AUDIO.