Podcasts

Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold.

So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others.

They're posting proprietary developer code. They're bringing back Tupac and Biggie. They're advising Nintendo on more secure httpd configurations. And they're issuing funny press releases via Twitter and Pastebin.

In the last few weeks these guys have picked up around 96,000 Twitter followers. That's 20,000 more than when I looked yesterday. Twitter has given LulzSec a stage to show off on, and showing off they are.

The Internetz, largely, are loving it.

It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts.

I wrote my first article on information security around May 2001. It was about the Sadmind worm and it ran on the letters page of the IT section of The Age newspaper in Melbourne.

"Geez," I thought to myself. "If awareness isn't raised about the unsuitability of these computamajiggies for srs bizness, we could encounter some problems down the track."

So for the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea.

No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak.

Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!"

There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us.

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

The mainstream media are having fun criticising Sony for its poor security, but do we honestly think for a second that the XBox Live network can't be similarly pwnt? (I know the PSN breach hasn't been pinned on LulzSec, but the point stands.) Is there any target out there that can't be "gotten"?

State-sponsored attackers, likely Chinese, have even wormed their merry way through the networks of the US military industrial complex, buggering off with the blueprints for the next Lockheed Martin death-ray-lasermatron or similarly diabolical, geo-strategically altering super-weapon.

Yay! Human rights abusers with US-designed military technology! w00t w00t!

Thanks, RSA. <3

Don't even get me started on them. As BlackHat organiser turned US Department of Homeland Security advisor Jeff Moss Tweeted yesterday, "When I heard RSA had a shiny new half million dollar HSM to store seed files I wondered where had they been stored before".

We're relying on these boneheads to lock down our most sensitive R&D? Shoot me now.

What about privacy? Oh, well that's out the window too. Did you hear Facebook has facial recognition now? Great, huh? Plus the bloatware that is Facebook's Web application is full of bugs anyway, so we really do just have to assume all our Facebook accounts are pwnt. Our telcos are owned, our mobile devices track us, as the iPhone/Android tracking scandal showed us. Privacy is dead.

So why do we like LulzSec?

"I told you so."

That's why.

Check out the latest Risky Business podcast here.

On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs?

A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE.

It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF.

Bug hunter extraordinaire, Azimuth Security's Mark Dowd, joins us after the news to chat about that. We'll also have a quick chat with Josh Corman, an analyst with 451 group in the USA and co-founder of the Rugged Software initiative.

Adam Boileau, as always, stops by for a check of the week's news headlines.

On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google.

The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments?

This week's edition of the show is brought to you by NetWitness. Eddie Shwartz will be along after this week's feature interview to discuss the role of vendor marketing in making our situation worse. It's the job of marketing and salespeople to dazzle executives with bulldust -- but is it driving enterprise security investment in the best direction? Find out in this week's sponsor interview with Eddie Shwartz.

Adam Boileau stops by for a look at the week's news.

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. We've already posted two interviews with Microsoft peeps about security issues, but we're posting this full talk as well.

Maarten Van Horenbeeck works in the Microsoft Security Response Center managing Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams.

This talk is about how Microsoft applies ratings to its product vulnerabilities... there are a bunch of ratings systems out there... Maarten covers off some of these and discuss how MS boils down its own scores. I hope you enjoy this talk.

This is a full presentation by AusCERT's day three keynote speaker Ross Anderson.

Ross has kindly allowed us to podcast his entire talk.

Ross is professor of security engineering at Cambridge University, and author of the bestselling textbook "Security Engineering: A Guide to Building Dependable Distributed Systems". He was a pioneer of peer-to-peer systems, of hardware tamper-resistance, and of the economics of information security.

Ross will discuss the economics of information security in two contexts: frauds against payment networks, and the resilience of the Internet. The talk will draw on a recent major study Cambridge did on the resilience of the Internet.

Tony Oliver and the Pubcast crew interviewed me about the talk I did at ITWeb's Security Summit in South Africa the other week.

My talk was all about militarisation trends in the digital security field. I drew parallels between the Cold War and what's happening now. You can find it here.

Thanks to Tony and the rest of his gang for having me on their show. It's good to be on the other end of an interview every now and then!

You're about to hear one of the highlights of AusCERT's annual conference -- the speed debates! Not to be taken too seriously, the speed debate happens at the end of the con -- it's a chance to have a laugh and shed some lighter perspectives on the security discipline.

It's hosted by Australian broadcaster and journalist Adam Spencer. I hope you enjoy it.

This podcast is a complete presentation by APNIC's Geoff Huston.

According to the official synopsis: This presentation will outline the role of addresses and routing and the potential attack vectors, and will also report on the progress to establish a secure framework for addresses and their use in the Internet, highlighting the progress in establishing a secure routing environment for the Internet.

As regular RB listeners would know, we've followed APNIC's work and papers in this area and they have a habit of pushing out good stuff... so this should be a decent talk. Enjoy!

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. They're general chats with Microsoft peeps about security issues.

And in this interview we're chatting with Microsoft Australia's Chief Security Advisor Stuart Strathdee about the affect the PSN network breach has had on large organisations' security outlook. As you'll hear, Stuart says a lot of security projects that had been on the back burner are now being brought forward.

Enjoy!

The publication of allegedly stolen, private photographs by Fairfax Online was eclipsed in stupidity only by the QLD Police Service's decision to seize the iPad of journalist Ben Grubb at the AusCERT conference on Tuesday.

Every time the coppers raid media organisations to seize computers and documents in order to track down, say, the source of an embarrassing political leak, it pisses me off something awful.

The lack of respect shown to the media and its sources by governments in this country, both state and federal, is pretty astonishing.

The Australian Federal Police (AFP) actually investigates public service leaks that harm nothing more than the incumbent's polling figures. It's ridiculous. A media that operates freely of this sort of intimidation is vital to maintaining a healthy democracy.

As for the Ben Grubb incident, it's my view that police should simply not have the powers at their disposal that enabled them to seize his iPad in connection with an investigation into the alleged theft of private photos from a Facebook account.

Background on that is here if you need it.

Despite the fact there's an argument brewing about whether QLD Police actually acted within the law in seizing Ben's gadget, the action, in my view, was categorically the wrong thing for the police to do.

Some of you out there on teh Twitters got up me yesterday over my failure to discuss the media freedom aspect of this whole AusCERT-gate thingamajig.

I didn't bother because the police were just acting like police. The whole thing was just so predictable. It's what happens in any jurisdiction that hasn't passed shield laws.

In this instance, it seems likely the intention of the officers in seizing the device was to obtain evidence to use against another individual. In fact, the coppers likely knew the evidence was on the iPad because Ben may have showed it to them himself! It's not explicitly stated in his piece, but you get the impression it's possible he pulled up some correspondence on his tablet.

It's likely that when they realised that a treasure-trove of evidence was likely stored on the iPad (correspondence between Ben and his source pertaining to a security conference presentation that may have crossed a few lines), they asked Ben to surrender it and he refused.

That's when they arrested him in a meeting room at AusCERT for a short time and seized his iPad.

The police claim they were within their rights to seize the iPad because it had allegedly stolen photos on it; tainted goods.

It's a clumsy argument, but it's a great example of coppers doing what coppers do -- taking the shortest path from A to B. Should they be allowed to do that? Absolutely not. Can you understand why they did? Absolutely!

It's also a bit difficult to defend Fairfax chose to publish allegedly stolen private photos. It gets REALLY difficult to defend Fairfax when you find out that the subject of the allegedly stolen photo contacted the editorial team and asked them to remove the private photo and they refused.

I know this because the subject of the photo told me.

It gets IMPOSSIBLE to defend Fairfax when we hear its justification for publishing the photos: It had legal advice that as the photos were published "on the Internet" they were fair game, regardless of whether they were posted to a private photo album on Facebook.

(NOTE: It's possible that the image in question was obtained by Fairfax via a Facebook Content Distribution Network URL that had been brute-forced during the research done during for Sunday's presentation. Technically that would mean the image was "on the Internet" and available without authentication, so probably fair game legally, but ethical questions remain.)

Legal advice aside, I'm amazed they didn't realise what 24-karat knobs they were being. Needlessly publishing private material is just a really shitty thing to do. One of the photos featured the subject and his young child. Sure, they blurred the child's face, but it was a private photo.

To keep the photos up there AFTER the subject and owner of the image copyright has asked you to remove it is tabloid asshattery at its most extreme. Sure, they cropped out the kid after an angry phone call, but they left the allegedly private picture identifying the subject up.

So are the laws that allowed the coppers to seize Ben's iPad daft? Yes. Were the coppers themselves acting like supreme dopes when they briefly detained Ben? Yes.

But really, if you had the ringside view I did when this whole thing played out, you'd find it a bit tough to muster up much sympathy for Fairfax and its now iPadless journalist Ben Grubb.

The nice side affect of the big hoo-ha is it's brought up a debate on press freedom in Australia. If anything, this whole episode will nudge proposed shield laws along quite nicely.

We need those shield laws to pass to prevent this sort of idiocy.

So to end with the same summary that accompanied yesterday's piece: Meh.