Podcasts

This week's feature guest is the head honcho of the Beef Project, NGS Secure's Wade Alcorn.

Wade joins the program to talk about the SSL/TLS flaw that Juliano Rizzo and Thai Duong plan to demonstrate at the Ekoparty security conference. They've found some really nice flaws in TLS 1.0 that mean you can, under some circumstances, when six planets align in the June dawn, extract session cookies from SSL connections.

It's not a bug that marks the end of the world, but it's just a really interesting one so Wade will be along to discuss it.

And this week we check the news headlines with Mark "Longpipes" Piper.

Over the last couple of weeks you may have spotted some news stories floating about claiming cybercrime costs society US$388bn annually, with Australia alone suffering A$4.6bn in yearly losses.

If the numbers are to be believed, these reports say, that means cybercrime costs us nearly as much as the global trade in illicit drugs. It's a sensational claim and makes an awesome headline, but any way you slice or dice the numbers they just simply don't stack up.

What's more frustrating is the most cursory analysis of these figures is enough to show they're fanciful. Yet lazy media outlets, spurred on by reports carried by the sycophantic technology media, happily parroted these claims as fact without doing the most basic checking.

Institutional fraud measurements here in Australia blow the claimed numbers out of the water immediately. Direct losses from all personal fraud in Australia, online and offline, is estimated at A$1bn a year. So where did the claim involving a A$4.6bn annual impact come from?

The numbers were dug out of a survey report released by Norton, the consumer division of Symantec, a company that makes computer security software.

Norton engaged an online survey company, Strategy One, to quiz around 20,000 people in 24 countries about their experience with cybercrime. It asked respondents to nominate both direct and indirect losses they experienced as a result of online crime.

Based on the responses Strategy One received, direct annual consumer losses extrapolate to USD$114bn a year. That includes losses that consumers experienced that were reimbursed, as is the case with the vast majority of credit card fraud.

That figure seems high enough, but where things get comical is when Norton throws indirect losses into the mix.

When asked to nominate how much these cybercrime experiences were worth in terms of "time lost," Strategy One extrapolated a figure of USD$274bn.

Now, here's where it gets into Twilight Zone territory. According to Norton, United Nations figures estimate the illicit trade in heroin, cocaine and marijuana is worth US$288bn a year. The total illicit drugs trade is worth, apparently, US$411bn per annum.

But if you add the USD$114bn figure for direct cybercrime losses to the USD$274bn "time lost" figure, you wind up with a total just under the figure for drug sales (USD$402bn).

The result is the claim that "cybercrime is... approaching the value of all global drug trafficking". You see what they did there? Voila! Instant headlines!

Norton is actually equating a fictional "time lost dollars" -- that never actually existed -- with actual dollars spent on marijuana. You'd think the marketroids were smoking the green stuff themselves when they came up with that comparison.

They must be regular users, too, because Norton put out a press release on September 11, 2009, claiming cybercrime actually eclipsed the global drug trade. The press release was titled: "Cyber Crime has Surpassed Illegal Drug Trafficking as a Criminal Moneymaker; 1 in 5 will be a victim".

As a moneymaker? Really? That's not even what Norton is claiming now!

If that wasn't loose enough, it seems obvious that if we included "time loss" figures stemming from the illicit drug trade the comparison would be blown apart immediately.

Just think of the harm being inflicted on Mexico right now by the drug cartels, not to mention narco-related drama in countries like Afghanistan. Then there's the money spent on the "War on Drugs," keeping drug dealers in prison and the productive capacity society loses to all those dope-smoking young males glued to their PlayStation 3s.

While we're doing things the Norton way, why don't we include lost income that unemployed heroin users could be making if they straighten up? It'll be a completely meaningless number, but as long as it's big, apparently, it gets a run.

Norton's definition of cybercrime is also fairly liberal. It defines "online harassment" as a cybercrime, along with being "approached online by a sexual predators". Online credit card fraud is defined as "someone made an unauthorized use of my credit/debit card, or card number, to fraudulently obtain my money or property".

The word "online" doesn't even appear in the definition. This question, as written, will catch all credit card fraud.

It gets better. In June two researchers from Microsoft, Dinei Floręncio and Cormac Herley, wrote a brilliant paper titled "Sex, Lies and Cyber Crime Surveys".

You can read it here, but the general thrust of the paper is self-nominated loss figures are notoriously unreliable.

Floręncio and Herley say surveys of sexual behaviour demonstrate people lie when asked to nominate how many sexual partners they've had. In a random sample, it stands that the average number of sexual partners for both men and women would be the same. But they're not.

Women generally tell the truth, albeit shaving the number slightly. Men also generally tell the truth. Unfortunately, some men, the research says, massively overstate their notches-on-the-bedpost quota, and that throws the reliability of the survey more or less out the window. Floręncio and Herley argue overstated loss figures cause the same problems in cybercrime surveys.

Cybercrime surveys that rely on self-nominated losses require multi-layer sampling and a sample size of up to several million respondents in order to be regarded as accurate, the Microsoft paper claims.

The problem boils down to concentration. Overstated losses can massively skew data sets. In a survey based on 1,000 respondents, Microsoft says, a claim of a single loss of $50,000 would translate to a loss figure of $10bn over the whole population. A nominated loss of $7,500 translates to $1.5bn.

So, they say, we should "discard" any survey that doesn't disclose both the median and mean figures for responses. These two figures give the reader an idea of how concentrated the responses are.

The Norton survey does not disclose these figures.

There are places we can look to find more trustworthy sources of information relating to crime and fraud. The Australian Bureau of Statistics, for example, estimates all personal fraud, both online and offline, costs Australians AUD$1bn a year (2007).

The Australian Payments Clearing Association (APCA) calculated Australian Issued Payment Instrument (credit store and debit cards, cheques etc) at around A$210m for 2010.

Sure, a body representing financial institutions might have an interest in understating these figures, but Norton's report claims direct cybercrime losses in Australia are A$1.8bn a year (roughly A$300 per household) with a further A$2.8bn in indirect losses!

Put simply, Norton's figures just do not look credible next to institutional measurements, and Microsoft's research tells us these types of cybercrime surveys are unreliable.

For its part, Norton says the discrepancies can be explained because much cybercrime goes unreported. "We are confident that the Norton Cybercrime Report is a valid representation of the current state of consumer cybercrime," the company wrote in response to questions.

It's understandable that a company with a vested interest in overstating a problem will release this sort of marketing material. It's another thing for the media to just run with it without questioning the numbers.

On this week's show we chat with Ruxcon organiser and vulnerability researcher Chris Spencer.

Chris pops by to offer a five percent discount on Ruxcon training to Risky Business listeners, and we also have a quick chat to him about trends in the vulnerability research game.

Chris was popping shells and publishing exploits since the nineties, so he's seen a few things change!

Also this week, RSA's Mason Hooper joins the show for this week's sponsor interview. We ask Mason for his thoughts on a not-particularly-convincing Norton survey report that estimates cybercrime is now bigger than the illegal drugs industry. Ha!

Mark "Longpipes" Piper is this week's news guest. He's filling in while Adam Boileau is in Afghanistan seeking advanced beard grooming tips.

The following is a recording of a panel discussion about Wikileaks that took place at the Splendour in the Grass music festival in Woodford, QLD, Friday, 29 July 2011.

Moderating the panel is The Chaser's Julian Morrow. On the panel:

* Nicholas Hayden, Hungry Beast, ABC TV
* Marc Fennell, Hungry Beast, ABC TV
* Grace Morgan, Julian Assange's Australia-based solicitor
* Suelette Dreyfus, Author, Underground
* Patrick Gray, Host of the Risky Business podcast
* Christine Assange, Julian Assange's mother

The recording is unedited. Enjoy!

It seems the bad guys are targeting Australian Internet users this week. I got a few of these this morning, as did a couple of Risky.Biz listeners:

From: rules@abr.gov.au
Date: 14 September 2011 10:05:53 AM AEST
To:
Subject: Attention for the ABN owners
x-original-to: REDACTED
x-mailer: azzgnshjz.46

Australian Taxation Office together with Australian Business Register
wants to inform you that starting from January, 1 2012 new rules of use of ABN number are being introduced.

The changes will concern:
- GST credits;
- Australian domain names registration

More detailed information about the coming changes in the rules you can find HERE.

Australian Business Register
www.abr.gov.au

All links in the e-mail go to the domain australianbusiness-store.com.

That site drops an executable named updateTax15sept.pdf.exe.

Geez. I wonder if I should run it?

I also received a couple of other, similar messages purporting to come from the ATO. Again, all links pointed to the domain australianbusiness-store.com.

TL;DR: Drop domain australianbusiness-store.com at your gateway.

UPDATE: Our buddy Neal Wise at Assurance.com.au says the same spam run makes use of the domain australian-businesssite.com, too... Some on Twitter have reported hundreds of these spams coming through their gateway just this morning. Seems very tightly focussed on an Australian audience.

Patrick Gray on Twitter.

On this week's show we take a look at the security of browser JIT engines with two extremely smart guys: Chris Rohlf and Yan Ivnitskiy of Matasano Security.

They presented a paper in Vegas all about attacking clientside JIT compilers. It's good, old-fashioned security research -- the type of research that's increasingly being withheld from the public these days.

What is a JIT compiler? How does it work? Do they present inherent security problems? Tune in to find out!

This week's show is brought to you by Sophos Network Security. In this week's sponsor interview we're joined by that company's product manager Angelo Comazzetto to discuss network visibility and application aware firewalls.

Normally Adam Boileau joins the show to discuss the week's news, but he's off globetrotting for the next few weeks, so instead his buddy Mark "Longpipes" Piper steps into the news slot to fill in. Thanks Mark!

What a week in information security! Between Kernel.org getting owned, the Iranian Government apparently hacking a Dutch CA to mint around 250 valid certs for stuff like *.google.com and Wikileaks experiencing a spectacular opsec fail, there's plenty to talk about in this week's news segment with Adam Boileau.

In this week's feature interview we speak with Greens Senator Scott Ludlam about the governments proposed Cybercrime Legislation Amendment Bill. There's been a lot of FUD out there on this one and Senator Ludlam joins the show to dispel some myths and discuss some specific improvements the Greens would like to see made to the package of legislation.

This week's sponsor interview is with Ron Gula, CEO of Tenable Network Security.

Ron says some people out there in the market are forming a consensus that preventing attacks is just too hard, and so they're focussing too much on merely detecting compromises. Ron says a balanced approach is better. He joined me by phone to discuss.

* By the way, the company Ron mentions a company named Kyrus. Wasn't very clear in the recording.

This week's feature interview is with anonymous infosec blogger Diocyde.

He has access to some fairly sensitive shit, so we can't tell you his name and we've had to disguise his voice.

Diocyde is best known as the author of the Veiled Shadows blog.

On it, he's written volumes about state-sponsored attacks against the United States. He's tracked who he says are Chinese malware writers and basically doxed them on the blog. He's advocated a hot cyber-war against China to stop that country from continuing to siphon off US-developed intellectual property and intelligence and he's written it all under the influence of pure fury.

Chinese attacks against the USA make this guy angry, as does the idea that attribution in the cyber sphere is difficult.

Interest in Diocyde's blog really took off when links to it popped up in e-mail stolen from HBGary Federal. Things got even more interesting when a few of his posts not only disappeared from the blog, but also disappeared from Google's cache.

In particular, one post titled "Busting the APT can wide open" went missing. It contained a large amount of intelligence on Chinese malware writers.

It was a fascinating read, and it's been completely removed from the Internet.

Doicyde joined me to discuss his blog, the missing posts, Chinese cyber espionage and attribution.

This week's sponsor interview is with RSA Product Manager Jeffery Carpenter.

This week we're chatting to Jeff about RSA's vision for the future of two-factor authentication. Are soft tokens becoming more popular? Is that a problem? What role will mobile device features like NFC play in the 2FA equation in the future?

Also this week, Adam Boileau joins us with the week's news headlines.

You may have heard about Microsoft's Blue Hat Prize for defensive security research. The company is running a contest for the best memory corruption bug mitigation technology. So, if you reckon you've found the next DEP or ASLR, you could be eligible for the company's $200,000 first prize.

It marks a departure from bug bounties -- this is a contest that rewards defensive research, not just new attacks.

There has, however, been a limited but vocal backlash. Security development firm Supreption took to its blog to describe the contest as a "late April Fools joke".

Winners of the contest maintain ownership of their ideas and intellectual property, but Microsoft assumes right to implement any entries it chooses into its operating systems. The guys at Supreption say that means Microsoft is getting way too good a deal for its prizemoney.

The blog claims the PaX team, creators of ASLR, support the company's position.

Microsoft's Katie Moussouris joins the show to face the criticisms and defend the prize.

Adam Boileau, of course, joins the show to discuss the week's news headlines.

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.

The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.

"My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved," the dump reads. "These attacks have targeted US and Canadian companies almost exclusively for at least five years... and continue to be extremely effective."

The dump claims the operation targets include private US defence firms.

The dump also makes the explosive claim that many of the IP addresses are monitored by private information security companies "...for the purpose of supplying stolen information back to the affected companies."

"Stolen data is effectively held hostage for the price of doing business with the company in the know," the dump reads.

The idea might sound like an unlikely conspiracy theory, but it's lent some serious credibility by a leaked HBGary analysis of some of the same IP addresses and domain names. That analysis appears to confirm their authenticity as espionage-linked callback IPs.

The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China. The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.

The vast majority of the leaked IP addresses are physically located in the US.

HBGary codenamed the operation "Soysauce".

"The soysauce group targets a large number of defense contractors who service the U.S.A," the analysis begins.

Alarmingly, the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.

Booz Allen Hamilton via bah001.blackcake.net, Mantech Corporation via mantech.blackcake.net and man001.blackcake.net.

So on, so forth.

This means each of the 850 entries in the dump potentially corresponds to a custom callback address for each successfully compromised victim.

To cut a long story short, if you find any of those IPs in your logs, you're likely owned by the Chinese government.

If you don't find them, you're probably owned anyway.

Risky.Biz has no reason to believe Pastebin data was actually leaked by an RSA employee.

Subscribe to the Risky Business podcast here.

Check out our podcast directory here.