Podcasts

What a week in information security! Between Kernel.org getting owned, the Iranian Government apparently hacking a Dutch CA to mint around 250 valid certs for stuff like *.google.com and Wikileaks experiencing a spectacular opsec fail, there's plenty to talk about in this week's news segment with Adam Boileau.

In this week's feature interview we speak with Greens Senator Scott Ludlam about the governments proposed Cybercrime Legislation Amendment Bill. There's been a lot of FUD out there on this one and Senator Ludlam joins the show to dispel some myths and discuss some specific improvements the Greens would like to see made to the package of legislation.

This week's sponsor interview is with Ron Gula, CEO of Tenable Network Security.

Ron says some people out there in the market are forming a consensus that preventing attacks is just too hard, and so they're focussing too much on merely detecting compromises. Ron says a balanced approach is better. He joined me by phone to discuss.

* By the way, the company Ron mentions a company named Kyrus. Wasn't very clear in the recording.

This week's feature interview is with anonymous infosec blogger Diocyde.

He has access to some fairly sensitive shit, so we can't tell you his name and we've had to disguise his voice.

Diocyde is best known as the author of the Veiled Shadows blog.

On it, he's written volumes about state-sponsored attacks against the United States. He's tracked who he says are Chinese malware writers and basically doxed them on the blog. He's advocated a hot cyber-war against China to stop that country from continuing to siphon off US-developed intellectual property and intelligence and he's written it all under the influence of pure fury.

Chinese attacks against the USA make this guy angry, as does the idea that attribution in the cyber sphere is difficult.

Interest in Diocyde's blog really took off when links to it popped up in e-mail stolen from HBGary Federal. Things got even more interesting when a few of his posts not only disappeared from the blog, but also disappeared from Google's cache.

In particular, one post titled "Busting the APT can wide open" went missing. It contained a large amount of intelligence on Chinese malware writers.

It was a fascinating read, and it's been completely removed from the Internet.

Doicyde joined me to discuss his blog, the missing posts, Chinese cyber espionage and attribution.

This week's sponsor interview is with RSA Product Manager Jeffery Carpenter.

This week we're chatting to Jeff about RSA's vision for the future of two-factor authentication. Are soft tokens becoming more popular? Is that a problem? What role will mobile device features like NFC play in the 2FA equation in the future?

Also this week, Adam Boileau joins us with the week's news headlines.

You may have heard about Microsoft's Blue Hat Prize for defensive security research. The company is running a contest for the best memory corruption bug mitigation technology. So, if you reckon you've found the next DEP or ASLR, you could be eligible for the company's $200,000 first prize.

It marks a departure from bug bounties -- this is a contest that rewards defensive research, not just new attacks.

There has, however, been a limited but vocal backlash. Security development firm Supreption took to its blog to describe the contest as a "late April Fools joke".

Winners of the contest maintain ownership of their ideas and intellectual property, but Microsoft assumes right to implement any entries it chooses into its operating systems. The guys at Supreption say that means Microsoft is getting way too good a deal for its prizemoney.

The blog claims the PaX team, creators of ASLR, support the company's position.

Microsoft's Katie Moussouris joins the show to face the criticisms and defend the prize.

Adam Boileau, of course, joins the show to discuss the week's news headlines.

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.

The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.

"My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved," the dump reads. "These attacks have targeted US and Canadian companies almost exclusively for at least five years... and continue to be extremely effective."

The dump claims the operation targets include private US defence firms.

The dump also makes the explosive claim that many of the IP addresses are monitored by private information security companies "...for the purpose of supplying stolen information back to the affected companies."

"Stolen data is effectively held hostage for the price of doing business with the company in the know," the dump reads.

The idea might sound like an unlikely conspiracy theory, but it's lent some serious credibility by a leaked HBGary analysis of some of the same IP addresses and domain names. That analysis appears to confirm their authenticity as espionage-linked callback IPs.

The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China. The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.

The vast majority of the leaked IP addresses are physically located in the US.

HBGary codenamed the operation "Soysauce".

"The soysauce group targets a large number of defense contractors who service the U.S.A," the analysis begins.

Alarmingly, the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.

Booz Allen Hamilton via bah001.blackcake.net, Mantech Corporation via mantech.blackcake.net and man001.blackcake.net.

So on, so forth.

This means each of the 850 entries in the dump potentially corresponds to a custom callback address for each successfully compromised victim.

To cut a long story short, if you find any of those IPs in your logs, you're likely owned by the Chinese government.

If you don't find them, you're probably owned anyway.

Risky.Biz has no reason to believe Pastebin data was actually leaked by an RSA employee.

Subscribe to the Risky Business podcast here.

Check out our podcast directory here.

In this week's feature interview we're chatting with Dino A Dai Zovi about Mac security -- Dino's well known as a Mac hacker and he's just done a BlackHat talk in which he evaluated Apple's IOS 4.x operating system for enterprise suitability. How did it stack up? Find out after the news!

Also this week we check in with Sophos Network Security director of support Alan Toews about Moxie Marlinspike's latest work, an alternative way of doing SSL certificates that completely does away with CAs. That's this week's sponsor interview.

Adam Boileau, of course, joins us for this week's news.

On this week's show we're taking a look at the most devastating state sponsored planet melting, child eating APT the world has ever seen... according to Gizmodo it's the BIGGEST CYBER ATTACK IN HISTORY.

Ummm... actually no, it's a fairly unsophisticated botnet comprising of 70 targeted infections.

It seems like the tech guys and analysts at McAfee did some interesting work in seizing control of a small botnet, then the salesbots, marketroids and public relationamatrons got their hands on it and spun it way out of perspective. The result? The media describing a fairly run-of-the-mill spooky botnet as the end of the world.

We'll be joined by Searn Duca of McAfee -- a very nice chap -- to have a chat about some of the detail of the so-called operation Shady RAT, which to me, seems more like operation shady AV vendor sales and marketing pitch. The media has spun this one way out of control, much, I'm sure, to the delight of the PRs at McAfee and the irritation of the wider infosec industry!

Also in this week's show we're joined by Marcus Ranum in the sponsor interview. Marcus is, of course, Tenable Network Security's CSO, and he joins me to discuss the US military's new cyber warfare doctrine -- you know, the one that explicitly states the US can use kinetic retribution in the event of a cyber attack.

So, like, doesn't that mean Iran can go and air-strike US nuclear refineries now? Heh... heh... yeah. :'( Marcus joins us to discuss that toward the end of the show -- that's actually a really interesting chat.

We're also joined by Adam Boileau, as usual, to go over the week's news headlines.

This week we're chatting with Detective Superintendent Brad Marden of the Australian Federal Police. While the FBI are out locking up Low Orbit Ion Cannon users on no-bail warrants, Mr. Marden and his team, apparently, are out doing real, actual police work to catch real, alleged criminals. How refreshing!

Listeners to this program would have heard of the case of Distribute.IT -- an Australian domain name registrar and hosting company that got majorly worked by a hacker calling himself "Evil from efnet".

After entry, the attacker rm -rf'd the entire company and basically destroyed the business. What remained of the company's assets were sold at presumably fire-sale prices to NetRegistry, another Australian company.

Well, earlier this week the AFP arrested an unemployed truck driver as a result of its investigation into the distribute.it matter. The suspect, 25-year-old David Cecil, has been charged with 49 offences relating a breach at a company called Platform Networks, but police have hinted that further charges are to come.

Marden joins the program to discuss the arrest.

Adam Boileau drops in to discuss the week's news, including the arrest of alleged LulzSec member Topiary in Scotland.

In this week's feature interview we're chatting with Silvio Cesare.

Silvio's an extremely well regarded infosec guy down here in Oz. He'll be chatting to us about his experience in academia. Silvio argues much criticism of academia in industry largely misses the point, and academia actually serves infosec quite well. Cryptography anyone?

This was also the week that saw LulzSec make a spectacular return to the public eye. It was also the week the FBI rounded up around 16 "cyber criminals". Well, actually it was more like 14 LOIC users and a couple of scripty-tardos. More on that in the news.

In this week's sponsor interview we catch up with RSA's CSO Eddie Schwartz to chat about everything from crappy marketing to problems with mobile device-based 2FA. It's good stuff.

Adam Boileau, of course, takes a break from grooming his spectacular, manly beard to discuss the week's news headlines.

As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions.

The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS".

So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right?

Wrong.

One of the complaints details charges to be laid against Scott Matthew Arciszewski, 22. He's alleged to have somehow created an account on Infragard Tampa's Website and successfully uploaded a couple of files.

By the looks of things he made no attempt to hide his actions -- using his own IP address to conduct the "attack" -- then Tweeted about it and directed his followers toward his Website.

How stealthy.

What a criminal mastermind. I'll sure sleep better tonight knowing this criminal genius has been taken off the streets.

Another complaint alleges former AT&T contractor Lance Moore uploaded a bunch of commercially sensitive material to Fileape. That information was subsequently "redistributed" by LulzSec.

This guy isn't even alleged to be sailing aboard the Lulz Boat, but hey, at least the DoJ got to use the word "LulzSec" in an indictment. What a win!

The remaining 14 arrests deal with a DDoS attack against PayPal, apparently in retribution for that company's decision to suspend payment processing for Wikileaks. They were using LOIC. How 1337.

So what does this all amount to? A leaker with internal access (AT&T), a young guy who was able to pwn Infragard in about five minutes (great security, guys) and a bunch of LOIC users.

And yet the coverage I'm seeing still persists with this ridiculous idea that the arrests will be some sort of strike against Anonymous, the "group".

So here, let's try to get something straight, once and for all: Anonymous is not a group. It's not a hydra. It's not a "loose collective". Anonymous is just a designation. Why is that so hard to understand?

Let's try an analogy.

17th century pirates liked to steal booty. They sailed the high seas and pillaged. They had a common flag. But they WERE NOT A GROUP.

Sure, there were groups of pirates that sailed on ships together. There was a common outlook -- that plundering booty was a worthwhile activity, ho ho and a bottle of rum, all of that. But they were not a group.

There were pirate hangouts like pirate taverns, so there was congregation, but no leadership. Pirates were not a collective.

So let's clear it all up. The anons are the pirates, IRC channels and imageboards like 4chan are their pirate taverns, and the various Anonymous outfits like @AnonymousIRC and @AnonOPS are pirate ships with multiple pirates aboard. They're groups of pirates! Simple! See?

So when the Spanish, Turkish, British or whichever police force claims to have arrested "key members" of Anonymous I wonder if they're deliberately misleading the public and their masters, or if they genuinely just don't get it.

This current batch of arrests will "bring to justice" a bunch of people who made no attempt to conceal their actions because they're either technically useless or just didn't care.

They're "low hanging anons".

But that won't stop the mainstream media from portraying this as the establishment striking back at online troublemakers.

Sigh.

TL;DR: Feds arrest dummies, MSM hails capture of anon masterminds.

This week's show is all about the news -- a 30 minute dose of Metl!

With Anons being arrested, parties unknown pwning defence contractors in the name of #antisec, Sony doing (even more) dumb stuff, Zeus-grade viruses smashing Android devices, India trying to wiretap Skype, support for XP running out in less than three years, Microsoft Security Centre dishing out porn and Morgan Stanley losing customer info on unencrypted disks, we just didn't have time for a feature interview this week!

In this week's sponsor interview Astaro founder Markus Hennig joins us to discuss Sony's curious statement that its brand is recovering from all the negative press surrounding its security woes. Are they dreaming?