Podcasts

The Victorian Auditor General has wrapped up its investigation into SCADA security in the transport and water sectors down south.

It found major problems that will surprise absolutely no one. In short, four out of five of the installations examined were nightmarishly insecure. It also found a real lack of awareness among the operators of critical infrastructure that they even have a problem.

A lack of security understanding was on display in New Zealand recently when a spokesperson for Mighty River Power proclaimed the installation was immune to the Stuxnet malware because "we don't run Windows 2000... which we understand is the doorway for the virus".

I'd guess that in some cases more effort is put into securing billing websites for electricity providers than into securing the infrastructure itself, and this report seems to bear that out.

Most pros in the information security industry has known about these problems for a long, long time, but it's great to see them getting some attention at government level.

You can download the PDF from this page here.

It makes for fascinating reading. The text has an interesting feel and tone to it -- a mixture of disbelief and panic shine through.

I tried getting someone from the auditor general's office to chat with Risky.Biz, but the office has a policy of not commenting on reports.

The office and its staff are shielded from defamation action when writing official reports, but any commentary to the media is not protected.

The timing of all this is borderline freaky in light of all this Stuxnet hoo-ha.

Anyway, have a read yourselves and tell us what you think by commenting here.

NOTE: The original post accidentally linked through to episode 169 -- fixed now!

In this week's feature interview we'll be taking a look at a proposed bill in the USA that would see all software companies having to build a lawful interception capability into their products. Basically the feds in the USA would like to be able to tap Skype, Blackberrys, OTR instant messenger and so on.

And we've got the perfect guest to discuss this with -- Alastair MacGibbon. A 15-year veteran of Australia's federal police and the founding director of the AFP's high tech crime centre, MacGibbon left that job to work as eBay Australia's director of Trust and Safety when eBay owned Skype.

These days he's doing his own thing under the name Surete Group.

In this week's sponsor slot we're joined by Vitaly Kamlyuk of Kaspersky Lab in Japan. He's grumpy! He's not pleased! A security researcher in the USA published a nice big detailed blog post the other day in which he described some vulnerabilities he'd found in the Zeus botnet C&C server software.

Some in the security research community believe that disclosure was irresponsible and Vitaly is one of them. We'll hear from him after this week's feature.

As always, Adam Boileau joins us to discuss the week's news.

It took just three days for a vulnerability in the Zeus botnet command and control software to be patched against a vulnerability disclosed in a security researcher's blog posting.

USA-based researcher and apparent Google security engineer Billy Rios published a detailed blog post on vulnerabilities he discovered in Zeus's command and control server.

Armed with details of the vulnerability, attackers could seize botnet command and control servers. Attackers could be criminals seeking to seize other organisations' botnets, or security researchers looking to disable botnet command and control servers.

Zeus is a malware package that targets Internet banking accounts and digital certificates. Sold on the underground, the Zeus botnet "kit" contains a user manual and all the software ingredients enterprising criminals need to get started building their botnets.

Some malware researchers say Zeus is currently the most common malware on the Internet.

Rios conducted a security audit on the command and control web application that "ships" with the Zeus kit, only to find vulnerabilities that could be used to compromise the C&C server.

His full disclosure of the bug led some to criticise Rios for assisting criminals better secure their malicious software.

A source tells Risky.Biz the "patch" was first discussed on Zeus-related IRC channels by Pierre Caron.

What do you think? Should Billy Rios have disclosed his findings? Let us know by clicking here.

To hear more about this story tune into tomorrow's edition of the Risky Business podcast. RSS feeds are here.

This week's feature is a chat with industry legend Dan Geer about Stuxnet. The more we find out about Stuxnet the more it looks like something ripped out of a spy thriller. It used four 0day bugs, two stolen code signing keys and infected a bunch of systems in Iran.

Speculation that the worm was targeting specific facilities in Iran has grown over the last week and we'll see what Dan thinks about that.

Adam Boileau joins us to discuss the week's news and Tenable Network Security chief executive Ron Gula pops in for this week's sponsor interview.

This week you'll hear from McAfee CEO Dave DeWalt and CTO George Kurtz. Since the planned merger between Intel and McAfee, a lot of people have questioned the deal's logic. DeWalt and Kurtz front Risky Business to defend the acquisition and outline what it could mean for the security technology of the future.

Microsoft has signed back on as a sponsor for the remainder of the year, and Microsoft Australia's Stuart Strathdee makes his return to the sponsor slot this week to tell us about IE9, which sounds suspiciously like IE8 in a pretty frock... or more accurately like IE8 in a bikini.

Adam Boileau joins us as usual to discuss the week's news.

On this week's show we're taking a look at Flash applications. With tonnes of thick client apps being replaced with apps built on Flash, we thought we'd have a chat to Azimuth Security's Alex Kouzemtchenko about what some of the pitfalls in developing Flash apps are.

This week's edition of the show is brought to you by Symantec, and we're stoked to have that company's CTO, Marc Bregman, on the show for this week's sponsor interview. He's an interesting guy and he's got a lot to say, not surprisingly, about where we're all headed as an industry in light of the McAfee Intel deal.

Adam Boileau, as usual, drops in to discuss the week's news.

On this week's show we're chatting with F-Secure's Jarno Niemela about some of the issues with Authenticode. He'll tell us about one fascinating case where a piece of malware actually carried a valid signature from a real company... stolen keys, right? As it turned out, that company didn't make software and had no idea what an Authenticode cert actually was. Jarno got to the bottom of that little mystery and tells us all about it after the news with Adam Boileau.

In this week's sponsor interview we're chatting with Tenable Network Security's CSO Marcus Ranum about a new project being run by DARPA, the US Defence Advanced Research Projects Agency.

The project is called CINDER and it's all about detecting rogue insider behaviour. It has potential to be a VERY interesting project, and Marcus shares his thoughts on it.

Here's a link to Jarno's CARO conference slides [pdf].

In this week's show we take a look at all the big news events over the last week. A newly rediscovered DLL hijacking technique has made some waves over the last seven days, as has the arrest in India of an e-voting machine security researcher.

Adam Boileau joins the program to discuss those items and others in this week's news segment.

In this week's feature interview we take a detailed look at Intel's decision to acquire security software maker McAfee for USD$7.68 billion. What is the reaction among analysts and the wider market?

Neohapsis CTO Greg Shipley and Gartner's Rob McMillan join the program to discuss.

This week's sponsor interview is with Ed Curtis from Research in Motion. He pops in to talk about different approaches to the mobile security problem. Should we even bother with IDSing mobile environments? Curtis says yes!

This week's guest is Felix "FX" Lindner. A well known researcher, FX has spent more than his fair share of time crawling around the innards of Blackberry devices.

He joins us this week to discuss the hubbub about lawful interception and Blackberry devices -- how resistant to wiretapping are they? What's the OS security like? What's the encryption scheme like?

As it turns out, the Blackberry holds up pretty well on most fronts, but FX fears law enforcement and intelligence agencies may start exploiting the baseband chipsets on mobile devices in order to intercept the data they carry.

It's a cracker interview.

We stick with the mobile theme in this week's sponsor interview, asking Symantec's Vincent Weafer why that company is focussing its development efforts on the Android platform. What makes Symantec so confident that Android will become the platform of attackers' choice?

Lateral Security's Adam Boileau pops in to discuss the week's news, including the "holy crap" news that McAfee is to be acquired by Intel for a figure appraoching USD$8b. WTC?!

Here's the Blackberry whitepaper mentioned in the show.

Last Tuesday was an unremarkable day. I awoke to the usual E-Mails IRC chatter and RSS reading, the most noteworthy of which was a small cluster of ZDI advisories addressing issues in WebKit.

Then I spotted the following, unremarkable tweet from @davidfarrier:

"some chap in china just hacked my gmail. and just to tell people about iphone 4s. as if people didn't know already. silly bugger."

Quickly followed by this:

"seems like lots of us twits have had our gmails/hotmails hacked this week. are you on the "hack" list? i certainly was."

The tweets in themselves were unremarkable. What was interesting was the amount of chatter surrounding the keywords "Gmail" and "Hacked". Everyone I spoke to throughout the morning knew someone who had been compromised or had been sent badly constructed spam from someone's legitimate Gmail account.

An initial look around suggested that thousands if not tens-of-thousands of accounts have been hit.

So what was going on?

Well, simply put, every "hacked" Gmail account was logged into using valid credentials that appeared to have been previously stolen. Once the attackers compromised the accounts, they drafted emails to the victims' contacts with an email along these lines:

Dear friends:

Last week ,I have Order china Samsung UN55B8000 55-Inch

this w e bsite:dhsellso.com

I have received the product!

It's amazing! The item is original, brand new and has high quality, but it's much cheaper. I'm pleased to share this good news with you! I believe you will find 7what you want there and have an good experience on shopping from them.

Regards!

Presumably this was the work of a script with previously compromised account details purchased from a botnet or phishing operator. There's nothing remarkable about it at all.

In each sample that I have looked at, the source IP address of the Gmail session was the unremarkable China located 115.49.90.219 and the text was identical (with exception to the product being pimped).

One possible theory that has been raised by several people I have talked to (and this is, just a theory), is that the BGP "misroute" earlier in the year captured a bunch of logins (HTTP, POP3, IMAP) to Gmail services and they have been harvested as apart of this attack.

Personally, I find it hard to link the two together. The reason why I find it difficult to believe is because I think that an operation capable of dragging in 37,000 networks (and managing to successfully sniff the bridged the traffic), would not blindly sell the acquired data to some crappy low-level scam operation.

That sort of capability would surely attract higher bidders.

So let's continue to work with the unremarkable theory of buying some stolen Gmail credentials from a basic botnet operation to log in and send spam.

So what was the deal with the spam? The target site was dhsellso.com which in itself is also unremarkable in many ways. It doesn't appear to host malware or phish people for details. It is reasonably well constructed and appears patched against known flaws. It is, by all accounts, just a good ol' fashioned "too good to be true and there for is fraud" site.

Funnily enough, the person(s) behind dhsellso have struck before and have registered at least two other sites at the same time as dhsellso.com presumably for nefarious purposes (dbyers.com and dbyers1.com).

So what is remarkable about all this? How successful the operation has been.

This is for several reasons:

1) Harvested email lists traditionally sell by accuracy. 100,000 email addresses at 70% accuracy will always sell for more than 100,000 email addresses with 60% accuracy. In this case, by using the victims address book, you can be sure the accuracy of the target email addresses would have been high (maybe 90+%?).

2) Dhsellso.com succeeded in getting their message out beyond e-mails. Systems such as blogger.com and posterous allow users to configure "magic" or hidden email addresses that when emailed, generate blog posts. Naturally, many blogs around the world started showing posts with dhsellso.com email subject and body on Google almost straight away.

3) The "junk" rate of the generated emails within Gmail / Google Apps has been pretty "low". Presumably because emails originated from valid Gmail HTTP sessions & accounts.

4) Given the fact that all emails would have appeared from trusted people, I would imagine the click rate might have been pretty high

5) The fact that no one gives a shit. Pretty much everyone I spoke to who had been hacked simply shrugged, changed their password and moved on. Like getting your Gmail account owned happens every other day.

Seeing such remarkable results from such unremarkable campaigns is a tad depressing.

Now, back to my unremarkable day.