Podcasts

While not the worst kind of data leak, the mistake has left the vendor somewhat red faced and contrite. Following enquiries from Risky.Biz last week the company e-mailed the users affected by the blunder.

"Unfortunately a mistake was made and recipient emails were added to the CC portion of the message, instead of the BCC portion, which caused several emails to be visible," the e-mail read. "Trend Micro takes our customers' privacy very seriously and is taking the necessary steps to prevent this from happening again. Please accept our sincerest apologies."

The accidental exposure of clients' e-mail addresses is reminiscent of rival vendor McAfee's leak of 1400 Australian IT security professionals' details in July last year.

As trivial as this leak may seem, security consultants say the data could be useful to attackers. They could, for example, stage a phishing attack to try to obtain the customers' login details to the hosted service, Trend's InterScan Messaging Hosted Security (IMHS).

"A list like this is of great value to an attacker. They have the direct, correct email address of the user operating the service the attacker is looking to phish," one said.

Maintainer of the Open Source Vulnerability database, Brian Martin, agreed. "Not only can I phish, I can craft an attachment that I know Trend can't scan," he told Risky.Biz.

However, all agree the disclosure won't increase risks faced by the affected organisation in a significant way.

Follow Risky Business on Twitter here.

Listen to the Risky Business podcast here.

There's no feature interview in this week's show -- it has an empty middle, just like an Easter egg!

Between me getting bumped out with a cold for a couple of days last week and this being a four day week, I just couldn't pull one together in time. Apologies.

So on this week's show we've got an extra long news segment with Adam Boileau, which is a bunch of fun.

In it we discuss:

• Aurora not all it's cracked up to be
• RIP SCO
• Claims of a Vietnamese government sponsored botnet. (WTF?)
• The march of China's great firewall
• When two networks are better than one
• A $100 kit for sniffing wireless keyboards

PLUS!

• Cisco's latest round of ghastly bugs
• Apple's latest round of ghastly bugs
• Microsoft's latest round of ghastly bugs

We also have an interesting chat with Ron Gula, chief executive of Tenable Network Security, in this week's sponsor interview. The topic is vulnerability scoring and knowing when a vulnerability scan is actually pointless.

This week we chat with Assistant Commissioner Neil Gaughan of Australia's Federal Police about trends in fraud.

We'll also have a bit of a chat about all things Gumblar with Vitaly Kamlyuk of Kaspersky Lab in Japan in this week's sponsor interview. Vitaly's been having a bunch of fun with the creators of Gumblar. In fact, it seems the guys behind the system have gotten so sick of Vitaly and his buddies profiling the Gumblar systems from their Japanese offices that they've blackholed the entire country of Japan to slow him down.

It's a bumper news session this week -- Albert Gonzalez has been sentenced for his TJX hack, spooks have been busted man-in-the-middling SSL connections, someone's released DNS tunnelling shellcode for Metasploit (yummy), etc and so on, so forth etc.

Link to DNS tunnelling shellcode stuff here.

Link to the IE8 exploit paper mentioned by Adam is here.

This week we've got Brian Snow on the show again. Brian had a 34 year career with the NSA in the States -- when he retired just a few years ago he was the technical director of Information Assurance there.

He's joining the show this week to talk about PKI, and specifically, why PKI hasn't taken off like we all thought it would. Brian actually has a pretty decent explanation for why things like federated identity never took off in the early to mid naughties like we all thought it would.

That's after the news.

Also this week we chat with Matt Moynahan, Veracode's chief executive. We're talking to Matt about the testing of applications sold via things like Apple's app store and Google's equivalent. That's our sponsor interview.

Adam Boileau, as usual, is this week's news guest.

Sourcefire partners in the Asia Pacific region have been bombarded with abusive e-mails purporting to come from Ammar Hindi, the company's APAC and Japan managing director.

Hindi isn't sending the mail. The company suspects the messages are the work of a disgruntled ex-employee based in Singapore. "We have strong suspicions who it is, but haven't been able to establish it definitively," a source close to the matter told Risky.Biz. "It was our hope that they'd lose interest and move on, but after every period of quiet, another wave goes off."

The e-mails appear designed to cause embarrassment to Hindi. "Mother f--ker! Wake up your idea and be more productive with more f--king sales order of Sourcefire in the next 30days so that Sourcefire can have a f--king good Q1 2010 under my charge," says of the e-mails, sent from a Gmail account set up in Hindi's name.

"Wake up your f--king idea and focus on f--king Sourcefire sales only or else you are not my f--king good partner for APAC," reads another.

One partner interviewed by Risky.Biz says the e-mails are a particularly bad look for an information security software company. "Because its Sourcefire... it is worse in that they should be more responsible in protecting information," he says. "But at the same time, its only email addresses to partners which are probably available to most staffers. Any disgruntled employee could have easily taken some or all of this info prior to walking into an exit interview or to resign."

The partner expressed surprise that Sourcefire hasn't reached out to those affected to explain the situation. For its part, sources within Sourcefire say they don't want to respond as it may encourage the alleged offender.

All of the e-mails target Hindi, according to the source, and the company is making slow progress in pinning down the alleged offender. "The [legal] tools that are available to us are relatively blunt," the source says.

Impersonation is a form of fraud in many jurisdictions, the source says, but in others the behaviour is harder to pigeonhole into a specific offence.

"John Doe" court actions have been filed against the sender of the e-mails in various jurisdictions, the source says, and the company is working hard to prove the identity of the miscreant. "We'll keep plugging away until we can develop a record and hand it over to the police," the source says.

Until that happens, it seems Sourcefire partners will have to cope with the occasional, expletive-laden, poorly-written rant.

Follow Patrick Gray on Twitter here.

Anonymous comments enabled.

On this week's show we're having an extended chat with our good mate Greg Shipley.

Greg's best known as the CTO of Chicago-based information security consultancy Neohapsis, and he'll be joining us to talk about what was on the agenda at the RSA conference. Apparently it's cloud, cloud, cloud... but what does that actually mean, mean, mean? Greg will be along soon to discuss, he's always good.

There will be no sponsor interview this week -- the team at Check Point are snowed under at the moment so we just didn't get an interview organised, but that's cool, because it leaves more time for me and Greg to talk about stuff.

Adam Boileau joins us for the news this week.

Risky Business is hosted by the team at Virtual.Offis in Sydney but sponsored, this week, by Tenable Network Security.

This week's feature guest is H D Moore, who'll be joining us to talk about some fun stuff he's been doing with NTP. Believe it or not you can use NTP to do massive recon on the Intertubez. H D has built a database of millions of hosts by querying NTP boxens. It's cool.

Tenable Network Security CEO Ron Gula joins us in this week's sponsor interview, and Adam "Beardy McUNIXguy" Boileau drops in to discuss the week's news.

This is a sponsored podcast. Symantec sponsors the RB2 podcast so once a month we get one of their staff on the line to talk about industry trends, malware... whatever, really!

And today we're speaking with Vincent Weafer, Symantec's director of security response. Regular listeners of Risky.Biz podcasts would have heard me tonking on a LOT about patch management lately, and in particular the moves by large security vendors like McAfee, Trend and Symantec into that space.

McAfee and Trend have licensed technology from BigFix and Symantec is integrating technology from its Altiris acquisition into its endpoint security products.

It's an interesting trend, and one that I personally think will have some meaningful implications for enterprise security. For one, patch management will all of a sudden be a capability of security teams, not just desktop teams.

So I thought I'd talk about this with Vincent, who sheds light on the trend from a vendor perspective. As you'll hear, I also talked malware with Vincent -- everything from the Zues botnet to the media's favourite Aurora. Enjoy!

In this podcast we chat to a solicitor who specialises in IT. His name is Erhan Karabardak and he's with the firm Cooper Mills in Melbourne.

Erhan mostly specialises in technology-related stuff, and I wanted to get his thoughts on this so-called hacking scandal engulfing the corridors of power in New South Wales.

Last week a couple of journalists from the Sydney Morning Herald were given a handy tip -- if they pointed their browsers to nswtransportblueprint.com.au they would find a bunch of documents there that shouldn't have been released yet -- namely, the State Government's transport blueprint.

They went to the site, sure enough the documents were there, they wrote up the story and it ran on page one of last Saturday's Sydney Morning Herald.

The comical twist in all of this is the minister then went out and accused the journalists of hacking into the system to obtain the documents. This is especially funny given the journalists in question are known for being technologically challenged and possessing a fondness for fountain pens.

I thought it would be interesting to discuss this with a solicitor like Erhan. Although the documents were left on a webserver, could it be argued that the journalists had been doing something wrong by accessing them? When is a hack a hack? What if you had to guess a complicated URL through some sort of brute-force attack?

Well as you'll hear, unless you actually have some sort of access control on your data -- like a password, you're up the proverbial creek. I interviewed Erhan yesterday.

This week's edition of Risky Business is brought to you by Kaspersky and hosted by Virtual.Offis.

This week we take a look at patch management and ask why it still sucks. Security professionals have been advising their clients to sort out their patching processes for more than ten years, but it's still at the top of many, many a post-audit report.

We chat to Securosis analyst Rich Mogull about his research on patch management.

In this week's sponsor interview with chat with Kaspersky Labs' Vitaly Kamlyuk about the next generation of ransomware doing the rounds in the Russian Federation. Let's hope it doesn't wind up here!

Adam Boileau, as always, is this week's news guest.