Podcasts

In this week's feature interview you'll hear part two of my interview with In-Q-Tel's CSO Dan Geer. We chat with Dan about electronic surveillance, the state, fascism and even the "digital Amish".

He is, as always, fascinating.

This week's edition of the show is brought to you by Hacklabs, an Australian penetration testing firm. Some homegrown support! Thanks, guys.

Hacklabs very own Chris Gatford will be along in this week's sponsor interview to have a chat about Glenn Mangham, the Brit who's now serving a prison term for hacking Facebook despite his claim to be all very, very white-hatty.

Adam Boileau, as always, checks in to discuss the week's news headlines.

On this week's show we chat with information security legend Dan Geer about traffic analysis and "digital exhaust".

Everything we do online produces a tonne of metadata. What can be inferred through the analysis of this metadata and who's likely to analyse it?

Part one of my chat with Dan Geer is this week's feature interview.

This week's show is sponsored by RSA Security, the security division of EMC.

So in this week's sponsor interview we're chatting with RSA's Mason Hooper about the company's 2012 Cybercrime Trends Report. Is Zeus still Zeusy? Still Godlike? We'll find out at the back of this week's show.

Adam Boileau, of course, drops in to discuss the week's news headlines.

On this week's show we're taking a look at the DMARC anti-phishing effort. we mentioned it on the news last week, but we're going to get into it properly with our good buddy Paul Ducklin. He's along after the news.

This week's show is sponsored by Tenable Network Security.

Tenable's chief executive Ron Gula will be along in this week's sponsor interview to chat about the theft of Symantec's source code. He doesn't think it's a world ender, and you know what, he's probably right! He's along after this week's feature interview.

There's also plenty of news to discuss with our news co-host Adam Boileau!

You can "like" Risky Business on Facebook here.

Find Patrick Gray on Twitter here.

Symantec claims customers using its endpoint protection and antivirus products are not at risk following revelations the company's AV source code was stolen in 2006.

But when it comes to providing specifics, Symantec is guarded.

Following yesterday's blog post, Symantec has claimed recycled source code from its corporate antivirus product of 2006 makes up only 5% of current endpoint protection software.

But it won't say which 5%.

Furthermore, 5% of Symantec's latest bells-and-whistles endpoint security products is a lot of code; basic corporate AV solutions from 2006 were pretty small by comparison to today's bloatware. So it could well be that a large proportion of the stolen code is actually in the current product. THAT's the percentage I'd like to see.

Here's the company's response to yesterday's questions, and below that my lingering unease about the company's answers.

We have definitely analyzed the 5% of the code and have determined it to be benign enough in nature not to present a security threat to current Symantec and Norton users if an attempt was made to exploit it for the purposes of a cyber attack. Furthermore, as mentioned in the previous e-mails, the combination of features in the current Symantec and Norton software would protect customers against an attack. For competitive purposes and protection of our intellectual property, we are not going to get into the specifics of the exact functionality of the 5% of that code.

Given the visibility of this incident, i.e. there is consistent monitoring of our communications by hackers and the Anonymous group, we're hesitant to provide specifics on the size of the code for NAV CE and SEP 10.2 (hence someone may be able to tell what they have or don’t have based on the size alone). However, you are correct that the total amount of code for Symantec Endpoint Protection is demonstrably larger than NAV CE, again, if for no other reasons than to accommodate all of the new features and functionalities layered upon over the previous six years.

More technical readers would know that the claims that extra features in the company's newer endpoint protection software would make exploitability impossible are quite simply bunk.

Sure, they might provide some defence-in-depth protection against malware, but I fail to see how a new, whiz-bang file reputation ranking engine will prevent targeted exploitation of vulnerable AV scanning engine code, for example.

Further, Symantec has stated it analysed the relevant code and determined it's not vulnerable, but won't say which chunks of that code have found their way into current products. Why? Surely if the code is good it can say which component is still being used in current source trees.

Also, calling Anonymous a "group" is a bit silly, especially in this instance as it was a bunch of people calling themselves the Lords of Dharmaraja who claimed credit for the attack. Anons have just been chuckling along with them. For a company like Symantec to conflate this compromise with the activities of a broader meme/movement like Anonymous may be convenient for PR purposes, but it's not really accurate.

So, brass tacks time: It's unlikely the Symantec AV source code that's doing its rounds over the Internet is going to really help attackers out there in a meaningful way. That said, I get the impression that Twitter user @GMKnowBoulder was right yesterday when they said Symantec seems stuck in the "quantum void between the engineering force and the marketing dark side".

So who out there can be bothered bindiffing NAV CE circa 2006 against current endpoint protection products?

Find Patrick Gray on Twitter.

UPDATED WITH COMMENT FROM SYMANTEC BELOW

So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent.

This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source.

In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened.

Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible.

The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well.

When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out.

Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least.

But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying:

To be correct, the code is for Norton Antivirus Corporate Edition, i.e., what used to be used by enterprises. As it is, customers face no security threats if the code is posted. It's a product that is no longer available, supported, or sold.

The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.

That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software?

Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it?

That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers.

I'll be firing off some questions to Symantec PR on this and we'll see what they say.

UPDATE: The PR gnomes at Symantec have issued this response:

"Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.

As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions.

If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code."

I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc.

Will hopefully have an update soon.

Find Patrick Gray on Twitter.

An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems.

The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here.

It’s interesting for several reasons. Firstly, the reason we know about this event is because it was disclosed in the company’s SEC filings. Secondly, Verisign is a very important company when it comes to the issuance of digital certificates. And finally, the story is made all the more fascinating by the vagaries of the disclosure. The filing is a tad light on specifics, like what data was actually "exfiltrated".

It’s also a sad sign of what's become of the technology media. The breach was disclosed in an SEC filing back in October, but has only hit the news now.

Symantec says there's no evidence to suggest the breach affected its SSL systems, which, if true, means the story as reported is a bit of a beat up.

I suspect this breach is unlikely to be of the magnitude of the RSA hack or Aurora attacks against Google. If anything it tells us more about the sorts of disclosures we're likely to see in future SEC filings in the USA.

But who knows? Sometimes these stories are slow burners...

Either way, the fact that no one would be surprised if Verisign's SSL boxes got pwned is proof enough that browser manufacturers need to redouble their efforts in protecting users from man-in-the-middle attacks performed with illicitly issued but "technically legitimate" certificates. I believe Chrome already pins certs for most major websites and IE might already do it too.

What does your gut feel say? Drop us a comment!

Find Patrick Gray on Twitter.

Risky Business is back for 2012! This week's edition of the show is sponsored by Adobe.

And as it's our first week back we're focussing mostly on catching up on the news of the last six weeks or so. Between McAfee turning its customers into open relays -- that wound up being used by spammers -- and Symantec realising its source code walked six years ago, it's been a cracking start to the year.

Risky Business news co-host Adam Boileau joins the show to run through the key highlights of the last six weeks.

Also in this week's show, Adobe's product security chief Brad Arkin joins the show to talk about the virtues of silent patching. Brad's been on board with Adobe since 2008 and says the company has actually made progress in the product security arena. Have a listen to him and judge for yourself!

The production of this week's show did not go smoothly. My SSD died, with the entire, unedited show on it. Two people really, really helped out and saved this week's podcast.

Adam Pointon donated a couple of hours of his Tuesday evening and managed to recover the interviews from the dead drive. Massive thanks to him. Jonathan Wrigley of Xero Computing in Calrton let me use one of his display systems to finish cutting together the show.

So big, big thanks to both of them. If you live in Melbourne, by all means pop into Jonno's shop and pick up some stuff for your Mac. Enjoy the show!

This is a special summer edition of the Risky Business podcast. There's no feature interview or sponsor interview -- just Adam Boileau and Patrick Gray discussing the most interesting security news items of the last three weeks, including:

• Did Persians pwn Drones?
• Bradley Manning faces court
• HP to face printer vulnerability lawsuit
• Could the USA's SOPA law break DNSSEC?
• GlobalSign says its CA systems were never compromised
• New guidelines for issuance of SSL certs
• Microsoft to silently update IE in 2012
• Fun fact: Ukranian general arrested for online fraud
• Putin's Twitterbots drown anti-regime hashtags
• Mexican government dismantles Los Zetas' massive comms network
• CNet's Download.com bundles crapware with nmap

I thought we'd just have a bit of a fun feature for the last show of the year. It's an interview with Edith Cowan University's Peter Hannay about a presentation he did at Ruxcon back in 2010, all about turning Amazon's Kindle into a completely free internet access device that works all over the world.

That's right, no subscriber fees and 3G access in a zillion countries.

He'll tell you how you can hack your kindle to use it as a completely free USB Internet access device pretty much anywhere in the world. No more data roaming for you! W00t w00t! SSH everywhere!

Astaro's Angelo Comazzetto takes a look back on Sony's 2011 woes in this week's sponsor interview and Adam Boileau joins us, as always, to discuss the week's news.

Peter Hannay's Kindle code can be found here.

McAfee Australia leaked 971 customer e-mail addresses in a botched e-mail marketing campaign last week.

The addresses of the recipients were placed in the visible TO field instead of the BCC field.

It's an all-too-common mistake, made especially embarrassing for McAfee because it's not the first time in recent memory something like this has happened.

In July, 2009, the company accidentally attached the full contact details of 1,400 customers to a marketing mailout.

The latest e-mails to leak are those of enterprise and government contacts, not consumers.

In response to a query from Risky.Biz, McAfee released the following statement through its public relations firm Spectrum Communications:

Late last week McAfee sent an email inviting a small percentage of McAfee customers, based in New South Wales, to its Enterprise Mobility Management webinar. Due to human error and contrary to McAfee policy and procedure, the email inadvertently revealed the recipient email addresses.

This error has been investigated and we are in the process of contacting the people affected to apologise, provide information and request that recipients delete the email addresses we have shared in error.

We are taking this opportunity to remind all staff of the importance of our processes around customer communications.

This sort of thing is always so embarrassing...

Follow Patrick Gray on Twitter.