Podcasts

In this week's feature interview we're chatting with Dino A Dai Zovi about Mac security -- Dino's well known as a Mac hacker and he's just done a BlackHat talk in which he evaluated Apple's IOS 4.x operating system for enterprise suitability. How did it stack up? Find out after the news!

Also this week we check in with Sophos Network Security director of support Alan Toews about Moxie Marlinspike's latest work, an alternative way of doing SSL certificates that completely does away with CAs. That's this week's sponsor interview.

Adam Boileau, of course, joins us for this week's news.

On this week's show we're taking a look at the most devastating state sponsored planet melting, child eating APT the world has ever seen... according to Gizmodo it's the BIGGEST CYBER ATTACK IN HISTORY.

Ummm... actually no, it's a fairly unsophisticated botnet comprising of 70 targeted infections.

It seems like the tech guys and analysts at McAfee did some interesting work in seizing control of a small botnet, then the salesbots, marketroids and public relationamatrons got their hands on it and spun it way out of perspective. The result? The media describing a fairly run-of-the-mill spooky botnet as the end of the world.

We'll be joined by Searn Duca of McAfee -- a very nice chap -- to have a chat about some of the detail of the so-called operation Shady RAT, which to me, seems more like operation shady AV vendor sales and marketing pitch. The media has spun this one way out of control, much, I'm sure, to the delight of the PRs at McAfee and the irritation of the wider infosec industry!

Also in this week's show we're joined by Marcus Ranum in the sponsor interview. Marcus is, of course, Tenable Network Security's CSO, and he joins me to discuss the US military's new cyber warfare doctrine -- you know, the one that explicitly states the US can use kinetic retribution in the event of a cyber attack.

So, like, doesn't that mean Iran can go and air-strike US nuclear refineries now? Heh... heh... yeah. :'( Marcus joins us to discuss that toward the end of the show -- that's actually a really interesting chat.

We're also joined by Adam Boileau, as usual, to go over the week's news headlines.

This week we're chatting with Detective Superintendent Brad Marden of the Australian Federal Police. While the FBI are out locking up Low Orbit Ion Cannon users on no-bail warrants, Mr. Marden and his team, apparently, are out doing real, actual police work to catch real, alleged criminals. How refreshing!

Listeners to this program would have heard of the case of Distribute.IT -- an Australian domain name registrar and hosting company that got majorly worked by a hacker calling himself "Evil from efnet".

After entry, the attacker rm -rf'd the entire company and basically destroyed the business. What remained of the company's assets were sold at presumably fire-sale prices to NetRegistry, another Australian company.

Well, earlier this week the AFP arrested an unemployed truck driver as a result of its investigation into the distribute.it matter. The suspect, 25-year-old David Cecil, has been charged with 49 offences relating a breach at a company called Platform Networks, but police have hinted that further charges are to come.

Marden joins the program to discuss the arrest.

Adam Boileau drops in to discuss the week's news, including the arrest of alleged LulzSec member Topiary in Scotland.

In this week's feature interview we're chatting with Silvio Cesare.

Silvio's an extremely well regarded infosec guy down here in Oz. He'll be chatting to us about his experience in academia. Silvio argues much criticism of academia in industry largely misses the point, and academia actually serves infosec quite well. Cryptography anyone?

This was also the week that saw LulzSec make a spectacular return to the public eye. It was also the week the FBI rounded up around 16 "cyber criminals". Well, actually it was more like 14 LOIC users and a couple of scripty-tardos. More on that in the news.

In this week's sponsor interview we catch up with RSA's CSO Eddie Schwartz to chat about everything from crappy marketing to problems with mobile device-based 2FA. It's good stuff.

Adam Boileau, of course, takes a break from grooming his spectacular, manly beard to discuss the week's news headlines.

As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions.

The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS".

So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right?

Wrong.

One of the complaints details charges to be laid against Scott Matthew Arciszewski, 22. He's alleged to have somehow created an account on Infragard Tampa's Website and successfully uploaded a couple of files.

By the looks of things he made no attempt to hide his actions -- using his own IP address to conduct the "attack" -- then Tweeted about it and directed his followers toward his Website.

How stealthy.

What a criminal mastermind. I'll sure sleep better tonight knowing this criminal genius has been taken off the streets.

Another complaint alleges former AT&T contractor Lance Moore uploaded a bunch of commercially sensitive material to Fileape. That information was subsequently "redistributed" by LulzSec.

This guy isn't even alleged to be sailing aboard the Lulz Boat, but hey, at least the DoJ got to use the word "LulzSec" in an indictment. What a win!

The remaining 14 arrests deal with a DDoS attack against PayPal, apparently in retribution for that company's decision to suspend payment processing for Wikileaks. They were using LOIC. How 1337.

So what does this all amount to? A leaker with internal access (AT&T), a young guy who was able to pwn Infragard in about five minutes (great security, guys) and a bunch of LOIC users.

And yet the coverage I'm seeing still persists with this ridiculous idea that the arrests will be some sort of strike against Anonymous, the "group".

So here, let's try to get something straight, once and for all: Anonymous is not a group. It's not a hydra. It's not a "loose collective". Anonymous is just a designation. Why is that so hard to understand?

Let's try an analogy.

17th century pirates liked to steal booty. They sailed the high seas and pillaged. They had a common flag. But they WERE NOT A GROUP.

Sure, there were groups of pirates that sailed on ships together. There was a common outlook -- that plundering booty was a worthwhile activity, ho ho and a bottle of rum, all of that. But they were not a group.

There were pirate hangouts like pirate taverns, so there was congregation, but no leadership. Pirates were not a collective.

So let's clear it all up. The anons are the pirates, IRC channels and imageboards like 4chan are their pirate taverns, and the various Anonymous outfits like @AnonymousIRC and @AnonOPS are pirate ships with multiple pirates aboard. They're groups of pirates! Simple! See?

So when the Spanish, Turkish, British or whichever police force claims to have arrested "key members" of Anonymous I wonder if they're deliberately misleading the public and their masters, or if they genuinely just don't get it.

This current batch of arrests will "bring to justice" a bunch of people who made no attempt to conceal their actions because they're either technically useless or just didn't care.

They're "low hanging anons".

But that won't stop the mainstream media from portraying this as the establishment striking back at online troublemakers.

Sigh.

TL;DR: Feds arrest dummies, MSM hails capture of anon masterminds.

This week's show is all about the news -- a 30 minute dose of Metl!

With Anons being arrested, parties unknown pwning defence contractors in the name of #antisec, Sony doing (even more) dumb stuff, Zeus-grade viruses smashing Android devices, India trying to wiretap Skype, support for XP running out in less than three years, Microsoft Security Centre dishing out porn and Morgan Stanley losing customer info on unencrypted disks, we just didn't have time for a feature interview this week!

In this week's sponsor interview Astaro founder Markus Hennig joins us to discuss Sony's curious statement that its brand is recovering from all the negative press surrounding its security woes. Are they dreaming?

This week's edition of the show is brought to you by Tenable Network Security, thanks guys.

In this episode we're taking an in depth look at BitCoins. Most listeners would have heard of the fledgling online currency by now, but there are a number of things that make BitCoins extremely interesting. It's the world's first popular virtual, cryptographically supported commodity, and once you wrap your head around it, it's very cool stuff, regardless of whether or not you think it has a future.

I'll be joined by regular guest Paul Ducklin to talk about BitCoin, after the news.

In this week's sponsor interview we're joined by Tenable Network Security's Brian "Jericho" Martin. He's stopping by to discuss the trojaning of vsftpd. Some wise-ass modified the source so using a username against vsftpd that contains a smilie spawns a shell on 6200. Subtle.

Brian chats about that and his work with Attrition.org, tracking Sony's woes. The Sownage! That's all coming up after this week's feature interview. Before all of that we check the week's news with our very own beardy guy Adam Boileau!

AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today.

The accidental disclosure comes as the United States celebrates the evening of July 4, its independence day. The bulletin was supposed to be issued on the morning of July 6, US time. Instead, it was mailed to AusCERT's subscribers a short time ago.

The bugs themselves aren't Earth-shattering; two remote DoS conditions, including a packet-of-death-style attack. But operators of "important" BIND installations will likely be annoyed by the holiday-destroying timing of the release.

"We made a mistake, we weren't supposed to issue them," AusCERT's general manager Graham Ingram told Risky.Biz. "We've apologised to group involved, we didn't quite understand the embargo, we missed it, and we accidentally released it."

AusCERT sent a bulletin recall a short time ago. In part, it reads: "We apologise if the premature announcement has caused you to initiate any action for which you are unprepared and which must now be interrupted. Please do not distribute the AusCERT bulletin. Please delete it from your system immediately and permanently."

The extra two days lead time would-be attackers may have up their sleeve due to the disclosure is unlikely to be sufficient for the bug to be weaponised before ISC2 releases the relevant patches, said a security professional who declined to be named.

"It looks like the new code/version isn't up yet, but given the statement says there's no known workarounds, it would still be of concern to an admin," our uber-sekr3t source says. "But it's an unauthenticated remote DoS. If it was a remote code execution issue, the information in the bulletin would be more useful to an attacker."

TL;DR: AusCERT make boo boo. Drunk/hungover/angry BIND admins work holiday.

Check out the latest Risky Business podcast here.

Episode 200 FTW!

In this week's feature interview we'll be chatting with Daniel Grzelak. Dan's the founder of shouldichangemypassword.com -- and interesting little website that pulls together compromised information and lets you see if you've been affected.

Dan was searching Google for .sql files that had inadvertently been made accessible online and indexed... aaaaand he found the entire database for Groupon India including plaintext passwords FOR THE LOSE!!! He'll be telling us all about that after the news.

Adam Boileau, of course, joins the show to discuss the week's security news.

NOTE: CONTAINS EXPLICIT LANGUAGE. NO NAUGHTY WORD EDITS THIS WEEK.

The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail".

"A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."

Since leaving a security consulting position with Australian information security company Stratsec, Grzelak has been working on a start-up gaming media company with two friends.

As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised.

Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.

The shouldichangemypassword.com database includes leaked or stolen account information from 17 recent high-profile breaches. "There are now... 1.3 million records on the site," he said. "All the LulzSec releases are included as well as data from other high profile incidents such as the Mt. Gox Bitcoin exchange hack and the Gawker breach from a year ago."

Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.

The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.

Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.

Grzelak, meanwhile, says this type of accidental disclosure is actually quite common. "There are thousands of these databases indexed by Google," he said. "This just happened to be by far the biggest I found."

Groupon's statement is below:

On Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of Sosasta, a website acquired by Groupon in January 2011.

After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.

Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries.

We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring.

This issue does not affect data from any other country or region.

Groupon takes security and privacy very seriously. Our users' trust is of paramount importance to us and we deeply regret this incident. We will provide more information as soon as possible.

Ed: Some of the search string in the Google search screen capture has been redacted. It brought up more exposed databases...

Click here for the latest Risky Business podcast.