Podcasts

The online customer database of a New Zealand-headquartered pizza store chain has been compromised.

Risky.Biz understands multiple intruders have compromised Hell Pizza's 400mb database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries.

The company operates 64 stores in New Zealand, three in England, nine in Australia and one in Ireland.

The database entries include the full names, addresses, phone numbers, e-mail addresses, passwords and order history for the company's customers. The information is "doing the rounds" across New Zealand.

Some who came into contact with the database contacted the company last year, posing as "concerned customers", but received no acknowledgement of the data breach. They fear the database may have already found its way into the wrong hands.

When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

While the database has become a valuable tool for security professionals in New Zealand, they believe the exposure of the data is exposing the company's customers to spam and other attacks.

It's possible that many users have recycled their passwords between their e-mail, PayPal, TradeMe, banking, eBay, Hell Pizza and other accounts. Even if just a few percent of the company's customers are recycling passwords, the database is worth obtaining, they say.

Downloading the Hell Pizza database, apparently, was very easy.

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".

Another penetration tester says the Hell Pizza database is an excellent example of "non critical" information that could still be used by attackers for great benefit.

The Chair of New Zealand's Internet Task Force, Paul McKitrick, told Risky.Biz that he had heard rumours of the database circulating around the security community as far back as last year.

"A database like this of New Zealand users' personal information provides miscreants with a valuable list of commonly used, New Zealand-centric passwords which could prove useful in brute forcing passwords," he said.

"If Hell Pizza were aware of this then they should have notified their customers. I do not know what actions Hell Pizza took, but I was a customer and I have never received any notification that my personal information has been compromised."

McKitrick, the former head of the New Zealand Government's Centre for Critical Infrastructure Protection, added organisations that collect and store the personal details of their customers, have a responsibility to notify their customers if they believe that there has been a breach of their personal information.

"This enables customers to do something about mitigating their own personal exposure, such as ensuring that the compromised password was changed everywhere it had been used, because people frequently reuse their passwords."

Hell Pizza reported the breach to police after Risky.Biz provided it with some database excerpts it could verify.

So here's some food for thought: According to a report in the Washington Post, 22 US Government departments and 143 private companies are involved in top secret "cyber operations" programs.

The numbers were revealed as the paper published the results of a two-year investigation into the post 9-11 military industrial and intelligence complex in the United States. They seem to confirm the emergence of a "military digital complex".

More on that in a bit.

The investigation is said to have caused minor panic in the intelligence community in the United States, and you can see why. While the newspaper hasn't unveiled any secret information, per se, some of its revelations are staggering:

• 854,000 Americans hold top secret security clearances.
• As many agencies and contractors are involved in top secret cyber ops as are involved in top secret border control.
• 1,271 Government organisations and 1,931 private companies work on intelligence, counter terrorism and homeland security related programs.

Cyber Operations, as defined by The Washington Post, encompasses "the fields of computer network attack, computer network exploitation, and computer network defence".

The category also includes "traditional electronic warfare" intended to knock out electronically dependent equipment. EMP anyone?

There's an interesting table here that shows where the money's going.

I discussed the emergence of "militarised hacking" nearly two years ago with Dan Geer, the Chief Information Security Officer of In-Q-Tel, a strange organisation that essentially acts as the CIA's private investment arm. I should stress here that Dan was not being interviewed as a representative of In-Q-Tel, just as an infosec luminary.

The topic of the interview was the emergence of the "military digital complex".

US President Dwight Eisenhower coined the term "military industrial complex" during his farewell address in 1961. His speech warned the United States was in danger of developing a war-dependent economy.

Could the same happen in the digital arena? I asked Geer in 2008 if we were seeing the emergence of a "military digital complex".

"There comes a point at which the legitimate questions of nation statehood, of sovereignty, also get confabulated with the interests of what had been an industrial world and is now a digital world," he answered.

"It should come as no surprise to us I think, that those who... profit from war in materiel and machinery will be supplanted in time by those who profit in war from digital goods."

Click here to listen to that interview.

What The Washington Post has done is as good as confirm the emergence of this military digital complex.

Increasingly I'm hearing of exploits, for example, being hoovered up by US intelligence agencies. People are disappearing into opaque organisations to do work they can't talk about.

What we're talking about here is the militarisation of computer hacking, something I find ironic given the counter-culture and rebellious roots of "the scene".

It's natural, I suppose, for a government to develop an offensive and defensive "cyber ops" capability.

But when does a ramp-up in capability turn into an arms race? How can we act surprised when we read reports of China building a cyber-army when the US Government has 165 separate entities working on cyber ops programs that are classified top secret?

On another note, how much money is going into the development of this sort of capability due to the inherent insecurity of civilian digital technology used in both commercial and industrial applications? Wouldn't we be better served by actually securing the world's civilian digital infrastructure? That way we wouldn't need an arms race.

It's my feeling that we should watch what the US Government does here with a keen eye. I fear a new arms race -- a digital arms race -- could be emerging. That's bad news for everyone -- it will hoover up talent and technology to the detriment of our industry, for starters.

We cannot compete with military budgets. Talented infosec researchers and developers will be sucked into the war machine instead of working on technologies that can benefit wider society.

Watch this space closely.

On this week's show we take a fresh look at the insider threat in light of the news, here in Australia, that criminal syndicates are paying up to $40,000 to bribe service station attendants into helping them skim cards.

If the bad guys are willing to pay $40k for someone that low on the food chain, what will they pay to get at someone in your organisation?

To find out we'll be joined by Gartner research director, AusCERT co-founder and former Commonwealth Bank security big-wig Rob McMillan.

Also this week we chat with Kaspersky's Vitaly Kamlyuk in the sponsor interview.

We'll be chatting about Mozilla's blocking of a malicious plugin that siphoned usernames and passwords off unsuspecting users. What should browser manufacturers be doing to stop this sort of thing from happening?

Adam Boileau, as always, stops in with the week's news.

I am talking about the coverage of that story, where the reporting has largely been horrible, gullible, naive crap.\xa0 Sorry folks, but yes, that includes coverage from people I like.\xa0 If you believe a lot of what you read, you would think that a lot of people were "duped" into following/friending/linking/whatevering Ms. Sage.\xa0 This shows a gross lack of understanding of both social networking and the security community- both on the part of the journalists, and to a lesser extent, the researcher.

The people who "over-shared" really are a problem, and it may be interesting to see what Thomas Ryan (the person behind Robin Sage) presents at DefCon.\xa0 It looks like s/he got a lot of sensitive information from people who should know better- three letter agencies, military, and more.\xa0 Interesting, but "people are stupid and gullible" is not really ground-breaking, nor is mining/abusing social networking to prove this point a new idea either.\xa0 It does sound like the scope and scale may be noteworthy.\xa0 But not new, and being a skeptic, I'm not sure it is newsworthy.

Where things fall apart is the nonsense over stories which pretty much proclaim that MILLIONS OF SECURITY PROS DUPED, and point to the number of friends/links/etc. the virtually perky Ms. Sage gathered.\xa0 I would like to point out four things:

1. Different people use social networks in different ways.\xa0 Just because someone accepts your connection request does not mean they are fooled by you.\xa0 They may not even care if you are real or fake.

• Maybe they (sadly common) think that more connections means they are more important.
• Maybe they are public figures of some kind, and accept most requests as a matter of policy.\xa0 If people are careful with what information they share, there is nothing wrong with this. Nothing. It is voluntary, get over it.\xa0 It is how Social Media and Social Networking work for many people.\xa0 If you don't like this approach- don't use it.
• The decision to accept may be based on connections offered (via friend-of-a-friend linking) instead of being based on the person making the request.\xa0 Again, if you are cautious about what you share, there isn't a risk here- even if it is a pretty shallow move.\xa0 Robin certainly had some interesting friends/links to entice people.\xa0 Put another way: Some days, the wingman scores.

Once Robin Sage became fairly visible, the drama got interesting and a lot of people began following/linking to the myriad of Robin Sages (yes, there were clones and evil twins, too) just to watch the train wreck.\xa0 I was one of these, and like many others I had my suspicions- but didn't care if she was real, fake, or just another troll, there was entertainment.\xa0 People were not duped, they grabbed a beer and some popcorn and watched the show.

Robin Sage was called out.\xa0 Spotted.\xa0 Thoroughly outed.\xa0 Many thought "something was fishy".\xa0 Some people did actual research and provided real details.\xa0 People had to connect/accept to do the research and confirm their suspicions.\xa0 The press almost completely missed this critical point.\xa0 They also missed the fact that once this was widely known, even more people connected to and followed Robin to watch the evolving train wreck mentioned in point 2.

Mr.. Ryan apparently convinced (socially engineered) much of the media into thinking this was something it wasn't, then and the result was not journalism, it was an embarrassment.

And this is just the worst of it this week.\xa0 Half baked ideas, giant (and flawed) leaps of logic, obvious vendor spin, and more were on parade this week.\xa0 Maybe it was the heat and no one could think clearly.\xa0 Maybe it was Vacation from Healthy Skepticism Week and no one told me.\xa0 I don't know, but I'm not happy about it.

Jack

[Note: since posting, the question of linking to specific examples has come up. I debated it while writing this post, but in the end I decided that the issue was so pervasive that calling out specific writers or articles would not have been productive.]

This post originally ran on Jack Daniel's blog.

On this week's edition of the show we take a look at the security of Apple's iTunes store. If you haven't heard the news, it seems a rogue app developer was able to bill Apple customers for apps they never bought.

We'll find out just how well the Apple app store was put together in the first place when we speak with Karl Chaffey. He works for a mobile development company and put together an interesting lightning talk for last year's Kiwicon conference which was all about the iTunes store.

Also this week we'll be chatting with Veracode's director of product management Tim Jarrett in our sponsor interview. We'll be talking about how to keep things nice when you're maintaining live code... how much automated scanning should you do? How much manual testing?

Adam Boileau is the week's news guest.

US soldier Bradley Manning has been charged with disclosing classified material to whistleblower site Wikileaks.

But it's what he hasn't been charged with that's interesting.

Since the news of Manning's arrest broke there has been much speculation about the fate of 150,000 diplomatic cables the young soldier is alleged to have stolen.

However, according to the charge sheet, only 50 diplomatic cables were disclosed to an unnamed third party.

In the charge document the US government alleges Manning did "willfully communicate, deliver and transmit the cables, or cause the cables to be communicated, delivered, and transmitted, to a person not entitled to receive them".

While the charges allege Manning also stole 150,000 diplomatic cables, there's no mention of him leaking them to a "person not entitled to receive them".

This doesn't actually tell us whether or not Manning has leaked the 150,000 cables. What it does tell us is the US Military does not possess enough evidence to charge Manning with leaking that material.

Could it be that Wikileaks is sitting on those cables, withholding their publication until Manning's legal problems are over with? Or could it be that Manning was arrested before he could leak the 150,000 cables he allegedly stole?

It's impossible to say. But the omission of a charge involving the leaking of that information is certainly interesting.

Photo kiosks in Big W stores are allegedly infecting customers with USB-borne viruses.

The Windows-based Fuji photo kiosks located in the company's stores apparently don't run antivirus software, so lovely little bits of malicious software like Trojan.Poison-36 are winding up on customers' USB keys, according to Risky Business listener and blogger Morgan Storey.

On its own, an isolated incident of a photo kiosk infecting a USB device might not be newsworthy. But what makes this item stick out is Big W's reply to Morgan after he notified the company of the issue:



That's right folks, Big W, a subsidiary of Woolworths, didn't think it necessary to install antivirus on its photo printing kiosks. Sure, they're evaluating AV now, but blind Freddy could have seen this problem coming last year when the kiosks were installed.

What the hell were they thinking?

It's not just the lack of AV that's the problem. As Morgan points out it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers USB devices as read-only? Why allow the kiosks to write to them at all?

Risky.Biz has so far been unable to confirm Morgan's post with Big W. According to the company's HQ the PR guy doesn't like being phoned and only takes media requests via e-mail. Seems an odd way to conduct PR, but hey, each to their own.

Risky.Biz e-mailed a series of questions to Big W at lunchtime today but as yet they remain unanswered.

It would be interesting to find out which company -- Fuji, Big W or even some other third party -- is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning.

WARNING: This week we missed some bad language during the edit... so hide this filthy podcast from your children's innocent ears.

On this week's show we're chatting with the head of Australia's Internet Industry Association (IIA), Peter Coroneos, about the government's plan to force internet users here to use antivirus software or be kicked off the tubes!

Peter was the architect of Australia's just released voluntary code for ISPs, but he'll be along soon to talk about why he thinks regulation here is actually a BAD idea. That's coming up soon.

In this week's sponsor interview we chat with Tenable Network Security CEO Ron Gula about APTs, or Advanced Persistent Threats. Are APTs a big deal? Are they real? Is this marketing hype? What's going on?

That's this week's sponsor interview, and it's coming up later.

Adam Boileau, as always, joins the show to discuss the week's news headlines.

I've followed with great interest Wired.com's coverage of the arrest of Private Bradley Manning, the young American soldier who allegedly leaked reams of classified US military material to Wikileaks.

I've also watched in disbelief as Wikileaks has lashed out at Wired.com journalist Kevin Poulsen, suggesting he somehow acted unethically in his reporting of the arrest.

In my mind all he did was scoop other outlets with the news of Manning's troubles. That's not unethical, that's just good journalism.

The Wikileaks Twitter account disagreed, suggesting there's a "special place in hell" for journalists like Poulsen and Adrian Lamo, the one-time greyhat hacker who turned Manning in.

Wikileaks founder Julian Assange is most likely the author of those infantile tweets.

Poulsen's reporting was excellent. My guess is Assange just didn't like the story. But instead of turning the other cheek, Wired.com has apparently fired back.

This piece by the Website's journalist Ryan Singel -- it would look bad if penned by Poulsen, after all -- breaks the news of Wikileaks apparently broken submission process.

While unquestionably newsworthy, the article reads like a classic attack piece, dripping with sarcasm. It's mocking.

In my view it is intended, clearly, to go beyond describing the broken submission process and portray Wikileaks as an unprofessional organisation undeserving of the "mostly-laudatory media portraying Wikileaks as a fearless, unstoppable outlet for documents that embarrass corporations and overbearing governments".

My guess is if Wikileaks is indeed sitting on 260,000 leaked diplomatic cables that describe, in painstaking detail, every example of skulduggery the US government has inflicted upon the Middle East in the last decade, a broken SSL cert is probably the last thing on its mind.

They might be more worried about, you know, the CIA death squads on their ass.

If Wired wants to hold the high ground in this little pissing contest it needs to be much more careful. The article makes no mention of the spat between Wired.com and Wikileaks and that's a big pile-o-fail, right there. That sort of thing needs to be disclosed to readers.

While we might expect this sort of behaviour from a pseudo-activist organisation like Wikileaks, we deserve better from a professional media organisation.

As for Wikileaks, keep 'dem docs coming.

We'll ignore your ridiculously biased contextualising of leaks if you keep giving us unedited source material.

You're not a professional news organisation that needs to be held to the same standard as Wired. Be as infantile as you want on Twitter.

(Wikileaks has denied the Wired story, saying its submission process is being upgraded to "deal with growth".)

Click here to listen to Risky.Biz's interview with former grey-hat hacker Adrian Lamo about his decision to turn in Manning.

What do you think? Comment below.

In this week's show we have a chat with iDefense threat analyst Kimberly Zenz.

Apparently Russian cybercrooks love to use ICQ, so US-based investigators are worried about the planned sale of ICQ to a Russia-based company called Digital Sky.

Kimberly's specialty is the Russian cybercrime scene, and apparently this mooted sale is interesting for a number of reasons. She joins the show to explain!

Adam Boileau is this week's news guest, and Vitaly Kamlyuk of Kaspersky Labs is this week's sponsor guest. In it we discuss the number of malware samples with valid authenticode signatures that are popping up.

With a system this loose is there actually a point to signing code?