Podcasts

This week's feature guest, Michael DeGusta, has done a bit of research on this topic and found, well, Android support is even WORSE than we first thought. He turned his research into a chart that went viral. Here it is:

Also this week, Sophos Network Security's Bill Prout joins us for a chinwag about webapp security in online retail.

Adam Boileau, of course, stops in to discuss the week's news headlines.

| \t Show Player | Play in Popup | Download

In this week's feature we chat to Patrick Webster about his tangle with First State Superannuation.

This is a story we've covered on the show over the last few weeks. If you haven't heard what happened, Pat spotted a bug in First State Super's statements system, probed it, let them know 12 hours later and then wound up with the police on his door!

Since then the whole saga has turned into a pretty big deal here in Australia. The police and civil actions against Webster have both been dropped and First State Super -- and its administrator -- has wound up in a bunch of trouble.

In this week's sponsor interview we're chatting with Tenable CEO Ron Gula about a recent edict from the Securities and Exchange Commission in the USA that advises companies on what sort of cyber risks and incidents they should be disclosing in their quarterly filings. Ron has an interesting take -- initially I disagreed with him but he won me over, I hope you'll stick around for that.

Adam Boileau joins the show, as usual to discuss the week's news.

Infosec reporter Brian Krebs published a splendid post a couple of days ago that apparently unmasks 760 victims of the same group that owned RSA.

I've had a look through the list and pulled out all the Australian organisations I could find. From the looks of things this list was compiled by observing computers connecting back to evil C&C in China. That would explain why there are so many ISPs listed -- it's likely it wasn't the ISPs that got pwnz0riz3d, it was their customers.

This full list is apparently doing the rounds among congressional staff in the USA.

So, Australia-centric highlights of the reverse-lookups include:

* CITEC-AU-AP QLD Government Business (IT)

Basically all QLD Government IT is outsourced to CITEC. It's the QLD state govt's IT agency.

* DSE-VIC-GOV-AS Department of Sustainability & Environment,

Also affectionately known in political circles as the Department of Scorched Earth, it looks like DSE got popped. Not much mining in Victoria, so your guess is as good as mine as to why.

* CSC-IGN-AUNZ-AP Computer Sciences Corporation

I'm guessing this was CSC itself or one of its customers. Does CSC operate a few gateways? It does here, from memory... a few in Canberra, too. *cough*

Then there are the ISPs.

* AMNET-AU-AP Amnet IT Services Pty Ltd
* TPG-INTERNET-AP TPG Internet Pty Ltd
* MICRON21-AS-AU-AP Micron21 Melbourne Australia Datacentre. Co-Location Dedicated Servers Web Hosting
* PI-AU Pacific Internet (Australia) Pty Ltd
* TELSTRA Telstra Pty Ltd
* VZB-AU-AS Verizon Australia PTY Limited
* MPX-AS Microplex PTY LTD
* IINET iiNet Limited
* MCT-SYDNEY Macquarie Telecom
* AAPT AAPT Limited

Then there's this:

* TEAM-CYMRU – Team Cymru Inc.

Some of you will know why that's equal parts funny and bad.

This week's feature interview is with Ian De Villiers of the South African security firm Sensepost.

Ian recently dropped a couple of interesting SAP security tools at 44con in London and ZACon in South Africa.

SAP makes Enterprise Resource Planning (ERP) solutions... CRM, SCM, PLM... you know, all that three-lettered, thick client enterprise stuff. It's everywhere and as it turns out, one of the only things that has saved it from thorough examination in the past has been the obscurity of its protocol.

Well, Ian, extending the work of Ukranian security guy Dennis Yurichev, has written a couple of tools that will let you play around with SAP software. He's written a protocol decoder, SAPcap, and SAProx, which Ian describes as being like Webscarab for the SAP protocol.

Also this week, Adam Boileau and I have a chat about the week's news, PLUS the latest twists in the First State Superannuation saga.

Australian security researcher Patrick Webster has received a letter from commercial law firm Minter Ellison demanding he turn over his computer to its client First State Superannuation.

The legal threat follows Webster's disclosure of a serious and trivially exploitable security vulnerability in First State Superannuation's website to the company in September.

Listen to my interview with First State Superannuation's Chief Executive Michael Dwyer AM here.

The flaw allowed any logged in member to access other member's statements by changing a single digit in their browser's URL bar.

The letter, received today, threatens to pursue Webster for costs incurred "in dealing with this matter" if he does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.

Webster claims he deleted the information in September. He says some member information, around 500 statements, was downloaded to his computer when he tested a bash script that would demonstrate the flaw to the company's IT staff.

He ran it while he made a cup of tea, saw that it worked, deleted the information and sent the script to First State Superannuation's IT staff so they could independently verify the glaring security hole.

You can read the letter here.

Editorialising for a minute, if Webster had planned to do something untoward with the information he obtained in his four minutes of testing, why would he inform the company of their security issue? Why would he now retain the member information he was trying to protect by reporting the bug in the first place?

If he'd found the bug in a Facebook or Google Web application, Webster would have actually received compensation for his time, not reported to the police and threatened.

Now the company is threatening to recoup costs from him if he doesn't allow them to get their grubby, insecure mitts all over his computer. Why not just ask for a signed statutory declaration? Why resort to threats?

The irony here is it's entirely possible that the glaringly obvious, boneheaded direct object reference bug that Webster exposed puts First State Superannuation completely on the wrong side of various compliance regimes and acts, including the Australian Privacy Act which stipulates organisations must take reasonable steps to secure personal information.

On this week's show we're delving into a troubling story emerging here in Australia. A local security researcher and consultant, Patrick Webster, has been threatened with criminal and civil prosecution after he disclosed a direct object reference bug in his pension fund's systems.

We'll be discussing this in the news with Adam, then we'll be hearing from First State Superannuation's Chief Executive Michael Dwyer himself!

Also on this week's show I'll be playing part two of my interview with famed hacker Kevin Mitnick. There's a very funny story in there about what happened when I asked him to track down Christopher Boyce, aka the Falcon of the Falcon and the Snowman fame. Boyce is an American who, at the time, had just been released from prison after serving a lengthy sentence for treason.

A big news story over the last week was the Chaos Computer Club's discovery of a piece of malware thought to be used by law enforcement in Germany. Over there, government agencies are allowed to use malware to Intercept internet telephony, but nothing else. As it turns out the trojan was packed with all sorts of extra features that just shouldn't have been there.

We'll be discussing that whole thing in this week's sponsor interview with Markus Hennig -- the co-founder of Astaro, which is now the network security division of Sophos.

Adam Boileau, of course, stops by for this week's news segment.

To subscribe to the Risky Business podcast via iTunes, click here.

Well-known Australian information security professional Patrick Webster has been visited by NSW Police officers following his disclosure of an embarrassing Web application security bug to his superannuation fund.

Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via "direct object reference," a security lapse so boneheaded it's included in OWASP's infamous top ten list of Web application security bugs.

For those unfamiliar with direct object reference, it means documents are served up by way of a direct ID in a URL. The problem is that by changing the document ID in the browser's URL bar, another document will be accessed and served to the user.

Direct object reference issues have been well known for over a decade. The Australian Treasury's GST Web Site was affected by a similar glitch in 2000.

Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. He contacted First State Superannuation's administration arm, Pillar Administration, to notify them of the problem the morning after he discovered the company's shoddy coding.

He even sent one of the fund's IT staffers a bash script to demonstrate the issue. The script enumerated document IDs and downloaded statements.

"It needed to be fixed ASAP," Webster, who runs information security company OSI Security and is a prolific Metasploit contributor, told Risky.Biz. "That's why I made a script and sent it to [redacted], so he could run the script himself and see what I meant."

The initial response from the fund was positive, with e-mails seen by Risky.Biz praising Webster for taking the time to notify the right people.

First State Superannuation has 770,000 members, mostly working for the NSW State Government. Members include everyone from magistrates to police officers and nurses.

It was two of those NSW police officers that turned up at Webster's front door at around 9pm last night.

"They just rocked up on the doorstep and said 'We're after Patrick'," he said. "They said it was about downloading files from First State Super. They said they didn't really understand it. They were the local Police.

"The annoying part is that I contacted First State straight up. I gave them my number, email... and full details in my email including LinkedIn and they called the cops," Webster said.

It is generally understood in the information security industry that data accessed via a URL without further authentication has, in essence, been made public by the system allowing the access.

It is difficult to argue that the access of such material is the bypass of a security control; it is merely proof of the absence of a security control.

Webster demonstrated that any logged in First State Superannuation member could access the online statements of any other member via URL manipulation alone.

It was Pillar Administration and First State Superannuation's diabolical violation of good practice that exposed members' details, not Webster's actions.

For background on just how dysfunctional and negligent an organisation has to be to allow direct object reference to sensitive information, click here.

Perhaps instead of contacting the law, First State Superannuation would have done well to send Webster, who ironically enough spent much of his career working in information security for NSW Police, a nice bottle of single malt and a sun hat.

The company has suspended online access to Webster's account. Passing the buck, wasting taxpayers' money and police time FTW.

Calls to Pillar Administration's head office and individual staffers were not returned. Staffers reached would not comment. Comment from NSW Police could not be obtained by time of publication and detectives reached would not comment.

Pillar Administration and First State Superannuation have since fixed the direct access bug and notified members whose information was accessed by Webster's script. See the letter here [pdf].

The only silver lining that could come out of Webster being charged with something -- what, exactly is a bit foggy -- would be watching a prosecutor try to explain to a magistrate that changing a single digit in a browser bar is a computer crime.

Lawl/snort/chortle etc.

Follow Patrick Gray on Twitter here.

Check out the Risky Business podcast here.

Subscribe to podcast feeds here.

By now you've likely read about the German Chaos Computer Club's (CCC) reverse engineering of the so-called "Bundestrojaner," or "federal trojan".

Someone found a copy of a remote access trojan in the wild, claimed it was government spyware and submitted it to CCC for analysis. The resulting publications give us a bit of an insight into at least one country's alleged "computer tapping" capabilities.

The German government has actually denied the malware is used by any of its federal agencies. Who knows about state police services or agencies. But if it turns out the trojan is indeed 'legit' then we can safely say, drum roll please, governments write pretty shitty malware.

I've been moved to write about this whole drama by the reaction to CCC's analysis. Some people out there are actually shocked that governments have this capability. I'm shocked they're shocked!

Every time one of these (allegedly) government-created remote access trojans pops up the tinfoil hatters scream Big Brother; they seem to think the existence of this sort of technology proves governments are conducting illegal surveillance on a massive scale.

They think the feds are rattling around in their computer already looking for evidence of subversive political thought. Kids, the government isn't using this technology to obtain advance copies of the anti-globalisation manifesto you're writing for Pastebin. You're a 21-year-old arts undergraduate with 320 Twitter followers. You're a nobody and no one cares about you. Deal with it. (QQ)

Reaction from the fringe-dwellers aside, the CCC analysis was a truly worthwhile exercise. It managed to expose a few things, like the fact the trojan was shipping with features explicitly forbidden under German law pertaining to surveillance.

The German government, under warrant, can lawfully intercept IP-based telephony with spyware, but it's not allowed to snoop on, say, files on the infected host's hard disk. Bundestrojaner's features explicitly allowed this.

As mentioned, the German (federal) government has denied Bundestrojaner is its creation, but you can bet your bottom dollar any similar badware used by ze Germans is now getting some proper attention and oversight from up on high.

This whole exercise has raised awareness at the very top and that's a hell of an accomplishment. The CCC deserves a pat on the back -- genuine kudos -- for bringing these issues to light.

CCC also found the Trojan was a big pile of insecure, bug-riddled shit that anyone with half a brain could reverse and learn how to control; unencrypted command and control For The Win.

Even if this trojan isn't government spyware, you can bet the real stuff is likely just as bad.

But like it or not, governments today actually need these capabilities for legitimate reasons.

So let's cool the debate a bit.

Just like a court approved telephone intercept, there are entirely valid reasons for law enforcement to conduct covert searches of suspects' computers. There's simply no problem with governments having this capability as long as the judicial oversight is sufficient. [ADDED 25/11/11: I've reflected a bit on this and I don't think you can actually introduce sufficient oversight in this case. In the case of intercepting communications like Skype? Maybe. But in the case of just going nuts snooping on someone's hard drive? That's just a situation ripe for abuse. So colour me convinced!]

If a law enforcement body is looking for specific evidence pertaining to a serious crime, has a prima facie case and there's no other practical way to obtain the evidence, how is a court granting a warrant allowing this sort of snooping a bad idea? [ADDED 25/11/11: Again, I'm convinced there's no effective oversight you could introduce here. In the case of phone/Skype intercepts I think you probably can have appropriate oversight, but remote, covert searches of someones' computer are a genuinely shitty idea. Mea culpa. I think I was just being contrarian to annoy the tinfoil hatters.]

We do not have an absolute right to privacy from government, even in Western democratic nations. The state can intrude on the privacy of its citizens if there's a good reason. [ADDED 25/11/11: I absolutely stand by this as a general principle.]

Should governments be installing completely bug-riddled, insecure trojans on peoples systems? Nope. Should they creating features that allow the controller of the malware to easily exceed their authority? Again, no.

But let's not throw the baby out with the bathwater here. These government-created RATs are valuable as investigative tools in serious crime investigations. That's good for all of us.

Let's look at this CCC analysis for what it is: A good excuse for Attorneys-general and police ministers all over the world to make sure this technology is being implemented in accordance with each country's wiretapping and surveillance legislation.

What do you think? Post a comment here.

Follow Patrick Gray on Twitter here.

Check out the Risky Business podcast here.

Subscribe to podcast feeds here.

This week's feature guest is Kevin Mitnick! Possibly one of the world's best known computer hackers, Kevin has been the subject of several books and even a B-Grade movie. He spent years on the run evading capture by the FBI, eventually winding up in prison for something like five years.

Since his release in January 2000 he's become a successful public speaker, security consultant and author. His latest work, however, is his most well received. Kevin, with writer William L. Simon, has finally written an autobiography, and from nowhere it's become a New York Times bestseller.

I've read it, it's heaps of fun... Kevin will be popping in later in the show to tell us why he's written his biography now... and I get to quiz him on some stuff that's not actually in the book. Hope you'll stick around for that.

This week's show is brought to you by RSA Security so in this week's sponsor interview we chat with Mason Hooper about RSA's investigation into a particularly badass Zeus variant. They actually managed to seize around 200Gb of filtered financial information out of its C&C. That's a fair bit of dataz!

Also, Adam Boileau is back from Europe and rejoins the show to discuss the week's news headlines!

*****WARNING... we use the sh** word a lot in this episode. I have no idea why.

There's no feature interview in this week's show, instead we're focussing on news instead!

And what a week it's been.

Browser makers have slayed the SSL BEAST attacks, Goldman Sachs' CEO got dox'd, as did Sgt. Douchebag of the NYPD. You know the one... he's the guy who maced a bunch of peaceful protestors in the face.

Microsoft even got in on the action and dox'd the operator of the Kelihos botnet!

Meanwhile if you're a Cisco admin you're likely having a tough week, as are the folks at Diebold, who apparently STILL can't make secure e-voting machines.

Also this week, Tenable Network CEO Ron Gula joined us to talk about log analysis. Sounds dry, but it's not. This week's show is, of course, sponsored by Tenable!