Podcasts

Well it's official. I've made it: Gregory D Evans has ripped off my work!

Risky.Biz's pal Jericho from Attrition.org recently drew my attention to a book published by Evans and LIGATT Publishing called "Hi-Tech Hustler Scrapbook".

From what I can tell, it's just a collection of news and feature articles written by other people. Three of my articles from years ago made it into Evans' "scrapbook":

"Cyber Terrorism 'Merely a Theory'," November 11, 2003, ZDNet Australia

"Beware the Crime Lords of the Internet," May 31, 2005, The Age

"Computer Crime: Methods and Techniques," June 01, 2005 Sydney Morning Herald

When asked how he could justify cutting and pasting other peoples' work into a book and selling it for $39.95, Evans claimed that he got permission to use the articles he included.

He also says he didn't put his by-line or name on the book, so he's in the clear. Indeed, my by-line remained on my articles as reproduced in his book. You can read his ridiculous ramblings on the subject here.

Anyhoo, I thought I'd make 110% sure that permission wasn't given to Evans to use my articles in his book. I asked ZDNet Australia if someone over there gave Evans permission to reprint my work. Here's the response I received from the house of Z's Editorial Director Brian Haverty:

After checking with the global offices of ZDNet, I have found that the ZDNet content that appears in Gregory Evans' 'Hi-Tech Hustler Scrapbook' was not used with the permission of any authorised employee. If Mr Evans purports to have any evidence of permission being granted, we would very much like to see it.

So, just for the record, Gregory D Evans did not have my permission or the permission of my publisher to reprint "Cyber Terrorism 'Merely a Theory'," November 11, 2003, ZDNet Australia.

If you don't know who Gregory D Evans is, you're in for a fun hour's Googling.

This week's show is jam-packed! We'll be chatting with Andrea Barisani about a presentation he did with Daniele Bianco at CanSecWest this week. They're both from Inversepath, and the title of their talk was "Chip and PIN is definitely broken". Is it? Find out after the news.

Also this week we chat with CSO Adam Pointon. What can you do when your executives want to use their iPad or other mobile device on your network? Is it possible to create a security policy for consumer devices on your network? Well, yeah, it is, as it turns out.

In this week's sponsor interview we chat with Jack Daniel of Astaro. The topic is IPv6. Despite the fact that the Internet has run out of v4 addresses I haven't personally seen the four horsemen of the Internet failpocalypse riding down my street just yet. But be assured, there's a transition coming and Jack joins us to discuss how you can prepare for it.

Adam Boileau, as always, stops by with his take on the week's news.

On this week's show Peter Gutmann drops by to talk about Solid State Drives (SSDs) and digital forensics. Depending on which report you saw over the last week you may have read that it's impossible to reliably delete data from an SSD, or that SSDs are a forensic nightmare because they DO delete so much data.

Well it turns out both statements are correct, and Peter "Gutmann Method" Gutmann joins us to explain how.

Also this week, Tenable Network Security and industry Stalwart CEO Ron Gula joins us to chat about the concept of restricting the sale and export of exploit information or malicious software. How does one determine what is malicious or other in a discipline where almost everything is dual use? That's this week's sponsor interview.

Adam Boileau, of course, joins us for the week's news.

******I missed a couple of "naughty words" in this week's edit, so put your headphones on if the kids are about...

On this week's show we're having a chat with the editor of Wired.com's Threat Level blog, Kevin Poulsen.

He joins us to discuss his new book, Kingpin, which is out this week in the US and on March 1st is Australia.

Kingpin tells the story of Max Ray Vision, a hacker who started off as a typical carder but came to control virtually the entire online credit card fraud scene in the English speaking world. How? By owning rival forums, merging their users into his site and then torching the competition. It was pretty effective.

Adam Boileau joins us to discuss the week's news.

Earlier today I had a very interesting chat with veteran information security journalist Kevin Poulsen about his new book Kingpin.

Kingpin is a ripper read and the full interview should be up some time tomorrow with this week's podcast. But it was Kevin's comments around Wikileaks that I found particularly interesting.

It's been my long held belief that Wikileaks is somewhat similar to Napster; both entities are symptoms of a larger issue, they're not the cause. The ease with which Bradley Manning allegedly downloaded all the material leaked to Wikileaks is, in my mind, the real issue at play in the whole Wikileaks saga.

With Napster, the issue was the rising popularity of the Internet and consumers' newfound ability to infinitely and freely replicate digital files like mp3s across a network. Which particular software was used to do this was of little consequence.

Napster was shut down by US courts, but that did little to curb online piracy. In the same way, I very much doubt the closure of Wikileaks will do much to stem the flow of sensitive information on to the Internet.

In addition to other, similar sites like Daniel Domscheit-Berg's OpenLeaks operation, Anonymous has proved you don't need millions in donations and a massive public profile to air an organisation's dirty laundry on the Internet.

Those who stole information security company HBGary Federal's e-mail, under the flag of Anonymous, seem to have had no problem hosting the mail on public websites, for example.

The domains of said sites do get yanked every now and then, but another site soon pops up. It's proof that once the genie is out of the bottle it's impossible to get back in. I thought we all knew this already.

But Poulsen believes the HBGary Federal thing is an interesting development for another reason.

"We could see a whole new crop of insta-Wikileaks sites that are based not on leaked information but on stolen information," he said. "I do wonder if the next big leaking incidents we see... might come from outside hackers who are politically motivated or revenge motivated or inspired by what Wikileaks has done."

"There are a lot of companies and organisations out there that are no more secure than T J Maxx was when it got hacked, but who have been spared because they have nothing of value to the criminal underground. Now if they start being targeted for ideological reasons they're going to find themselves just as vulnerable [as T J Maxx]."

It's a pretty difficult argument to poke holes in, and it should be a wee bit worrying for organisations with dirty laundry to air.

The HBGary Federal leak certainly got a lot of attention, and it's hard to see how the "operation's" success won't encourage further activity of this type. Maybe the best defence against this thing really is running an ethical, transparent operation.

Interesting times in infosec indeed...

One interesting little organisation to come to the attention of the information security industry since HBGary Federal got popped is a US-based company named Endgame Systems.

It's a slightly shadowy information security company based in the US that appears to offer its services almost exclusively to the US military and intelligence apparatus.

It was founded in 2008 by a bunch of senior ex-ISS execs and founders like Chris Rouland and Thomas Noonan.

Well, thanks to the "liberation" of HBGary's e-mail by Anonymous and the leak-sifters over at Cryptome, we've now all got access to everything from a high-level overview of Endgame's "capabilities" to its pricelist and a sample report.

All three documents are instructive reading.

It seems Endgame does everything from selling stacks of 0day for use in "information operations," as well as unspecified tools used in "information assurance". The company tracks botnets, too, with some interesting results that are linked to below.

But what caught my eye was slide seven of a presentation, which you can find here [.zip], in which the company boasts of "active vulnerability assessment" and "identification of known vulnerable systems".

Massive, international vulnerability recon and intelligence for US military and intelligence applications, all done in the private sector.

The service sounds a lot like Metlstorm's "low hanging kiwi fruit"* project from a couple of years ago, only these guys charge millions for it [.pdf]. Have a look at a sample report from the company here [.zip].

This sort of information comes in handy. You never know when you'll need to know version of Apache Aeroflot's facilities at Moscow Sheremetevo Airport are running. (1.3.33 on Win32, in case you're wondering.)

HBGary's spools just keep coughing up interesting stuff. I'll be fascinated to see what else surfaces.

* A brief blurb on Metl's project can be found on this page. It's referred to as "low scuttling chilli crab". It's a Singapore thing.

This week's edition of Risky Business is brought to you by NetWitness!

On this week's show we look at the history of LIGATT Security and its chief executive Gregory D Evans. He says he's the "world's number one hacker" and racked up multiple appearances on CNN, Bloomberg, Fox News and other respected outlets.

But that hasn't stopped others from labelling Evans a charlatan.

A recent expose by CBS Atlanta in the USA, combined with the release of Evans' mailspool, have upped the level of interest in all things LIGATT. Jericho of Attrition.org has been tracking Evans' business dealings for years. He joins us by phone from the USA to fill us in on the curious case of LIGATT Security.

In this week's sponsor interview we chat with Eddie Schwartz of NetWitness. He joins the show to talk about some nice generic ways to detect network dodginess and suspicious endpoint behaviour.

Adam Boileau, as always, joins us for the week's news.

This week's feature interview is a chat with Didier Stephens about his work in bypassing Windows-based whitelists.

You can read about Didier's work here and here.

You can really lock down Windows boxes by whitelisting what can run on them. You've got SRP -- or Software Restriction Poly, and you've got the Windows 7 feature AppLocker. Primarily they're designed to stop daft employees from installing malware-laden baby name generators and stuff like that, but some administrators have found this approach is quite effective at blocking malware.

After Stuxnet came along, for example, some admins turned to AppLocker for a bit of extra comfort. But as you'll hear, if your goal is preventing custom malware from running on your system, you're about to learn that AppLocker is pretty much useless.

Didier Stephens is based in Belgium, works as a security guy in the finance industry and enjoys doing unnatural things to Windows. He joined us by phone to discuss his latest party trick.

In this week's sponsor interview we're joined by Astaro's Jack Daniel. He joins us to discuss security for small to medium businesses. It seems that half the time their paying way too much for top level advice or being fleeced by charlatans. What's some practical advice for SME businesses?

In this week's new segment Adam Boileau and Patrick Gray discuss the HBGary hack.

This week's edition of the show is brought to you by Tenable Network Security. We'll hear from Tenable's Paul Asadorian in this week's sponsor interview.

In this week's feature interview we're chatting with Immunity Inc's Bas Alberts about the security of Google's Android mobile operating system. As it turns out, Android's patching model is pretty awful.

To demonstrate the problems with Android, this week's feature guest, Bas Alberts, took a Webkit bug affecting the Chrome browser found on Android devices, attacked his boss's phone and used a garden variety Linux kernel local privilege escalation vulnerability to completely own the phone. He turned it into a video and it was uncomfortable viewing to say the least.

Bas works for Immunity Inc in the USA and joined me by phone to discuss his research and its implications.

Adam Boileau is back on deck to discuss the week's news headlines!

This is the last Risky Business podcast for 2010, and it's a cracker!

In it we take a look at three things that shaped the information security news agenda in 2010 -- Stuxnet, Wikileaks and the resulting militarisation of the Internet.

We also look back on a year of UNIX-beard-guy news with Adam Boileau.

We hope you enjoy this special edition -- we'll be back in February 2011!