Podcasts

On this week's show we're taking a look at new laws in the United Kingdom that are designed to automate the collection of certain types of intelligence from telcos and ISPs.

The information itself has previously been accessible without warrant by UK intelligence agencies, but now they'll be able to bring up the data with a few keystrokes in real time.

That simple change could result in grave invasions of privacy, according to this week's guest, Roelof Temmingh of , the makers of Maltego.

Also this week Chris Gatford of HackLabs drops by for this week's sponsor interview. In it we discuss some statistics he's cobbled together from HackLabs last 100 or so penetration tests. They're not so much surprising as, you know, depressing.

Adam Boileau, as always, is along to discuss this week's news. And this, spectacular fail.

Melbourne's Age newspaper is carrying a delicious little item today.

The long arm of the law has caught up with the alleged ringleader of the CabinCr3w hacking group. Over the last few months CabinCr3w have pwned a bunch of law enforcement websites, even doxing a bunch of officers.

Pretty ballsy stuff, right? You'd think if you're starting a war with law enforcement you'd have your opsec shit in order, yeah?

Well, apparently not!

Criminal mastermind Higinio O. Ochoa III -- his real name, apparently -- has been tracked down via a photo of his girlfriend's boobies. He allegedly posted it on a website along with information stolen from various police services.

The woman, from Wantirna South in the Australian city of Melbourne, was pictured holding a sign that reads ''PwNd by w0rmer & CabinCr3w <3 u BiTch's''.

Unfortunately for Mr. Ochoa The Third, he didn't scrub the EXIF data from the photo. The GPS coordinates within lead police right to his girlfriend's house. Oops.

You can't make this shit up.

Reports say up to 600k boxes have been hosed, and if recent statements out of Cupertino are any indication, Apple staffers are running around like the proverbial headless chickens trying to contain this outbreak.

It seems the Apple security team has taken a leaf out of Microsoft's book -- they're targeting Flashback's C&C servers and will issue a removal tool through its software update service.

"The Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions," today's statement reads. "Apple is working with ISPs worldwide to disable this command and control network."

Apple tardily released a patch for the Java vulnerability that allowed this malware to propagate in the first place. But considering Java is a bottomless pit of vulnerabilities, you might want to disable it system-wide. You can actually do that on OS X -- it's under Java preferences in System Settings.

On this week's show Adam Boileau and Patrick Gray talk through the week's security news headlines, including:

• Up to 500,000 Macs pwned by the Flashback Trojan
• Auto-updater finally out for Flash
• UK proposes completely stupid laws
• 1.5m credit card numbers looted
• Zeus still active after MS takedown

Tenable Network Security CSO Marcus Ranum stops by for this week's sponsor segment. Big thanks for Tenable for making this week's show possible!

This week we talk to CommsDay founder and publisher Grahame Lynch about the Australian Government's decision to ban Chinese Networking vendor Huawei from supplying equipment to the National Broadband Network.

The government says it will block Huawei's participation in the rollout of the $36 billion network on security grounds following a negative assessment by Australian spy agency ASIO. Read Grahame's take here.

Is this a decision that really makes sense from a pure political point of view? Or could there be some political considerations at play here? Grahame clues us in.

This week's show is brought to you by Adobe. Adobe's head of product security Brad Arkin is along in this week's show to talk about its new open source tool that helps incident responders pull apart suspicious flash objects.

Don't forget you can 'like' the Risky Business podcast on Facebook, if that's your thing, or follow Patrick Gray on Twitter.

Also this week, SC Magazine Australia's editor Darren "Dazza" Pauli joins us to discuss the week's news headlines. He's filling in for Adam Boileau who's off having his beard permed and dyed.

This week's feature interview is a chat with Verizon Business Security Solutions' Bryan Sartin about the annual Data Breach Investigations Report, or DBIR.

Risky Business covers the report [pdf] every year.

It's basically a post mortem of the previous year -- what sort of records were breached and by who? What were their motivations? What were their techniques?

The US Secret Service cooperates with the report, as does Australia's own Federal Police. When you throw in Verizon's own caseload, you wind up with something approaching an authoritative report. It's rare for a vendor to actually put out something this good.

The 2012 report, which focuses on 2011 incidents, arrived at a very interesting conclusion -- in 2011, more records were breached by hacktivists than criminals.

In this week's sponsor interview we chat with RSA Australia's acting country manager Geoff Noble. Geoff normally heads up sales, but don't hold that against him, because as you'll hear he's actually got a deep understanding of trends in enterprise security.

I got Geoff on the phone earlier this week and asked him to tell us what trends emerged at the most recent RSA conference in San Francisco.

This week's feature interview is with Alastiar MacGibbon, CEO of CREST Australia -- the Council of Registered Ethical Security Testers.

In the UK CREST is a big deal, and now it's on its way to Australia and NZ. There's even a similar organisation in the USA that is doing things the CREST way. So this approach could actually become a worldwide, accepted accreditation for security testers.

I know one extremely capable tester who flew over to the UK to take the CREST tests and wound up flunking the team leader portion of one of them, so it's not your typical rubber stamp.

But! With such a lack of talented security testers out there, it seems possible from where I sit that CREST may have to lower its standards to get enough people certified. And security is such a fast moving discipline -- how will we ensure that CREST certified testers have current skills?

That's this week's feature.

Adam Boileau, as always, stops by to chat about this week's news headlines.

The Australian government has announced the establishment of the Council of Registered Ethical Security Testers, or CREST.

CREST is a pretty big deal in the UK. Over there it's an extremely serious series of tests that can give hiring organisations a semi-reliable indication that a tester knows what they're doing. If you don't have your CREST certification, there's work you simply can't do.

But who knows what it'll morph into here -- the jury isn't just out, it hasn't even been empanelled yet. Government involvement isn't usually a good start.

You can read the Attorney General's announcement here.

Interesting to note that former Australian Federal Police agent (that was years ago now) Alastair MacGibbon is the CEO of CREST Australia.

He has zero background in security testing but his appointment makes sense -- it wouldn't be politically possible to appoint a CEO from a professional services organisation.

This way there's no conflict of interests.

On this week's show we're catching up with Mr. Popular himself, Adrian Lamo.

Adrian is best known as the guy who turned in alleged Wikileaks source Bradley Manning, but he also has some very interesting perspectives on the LulzSec arrests.

This week's show is sponsored by Tenable Network Security! In this week's sponsor interview Tenable product Manager Jack Daniel will be along to chat about a recent Tenable Webinar that was all about the internal politics of security. If you're struggling to get your colleagues on side, you want to listen to that interview!

Adam Boileau, as always, joins the show to discuss the week's news.

Global law enforcement swooped overnight, arresting a handful of online miscreants who, between them, have generated more headlines than the rest of the online underground put together.

That's right, LulzSec has been comprehensively pwnt. Some were arrested yesterday in raids, others, arrested some time ago, had their indictments unsealed by the courts.

But it was the news that online Anonymous hero Sabu, aka Hector Xavier Monsegur, had been acting as an FBI snitch since August 2011 that came as a shock to many.

It shouldn't have.

Back in September 2011, Sabu returned to Twitter after a one month hiatus as rumours of his arrest swept the Internet. He had indeed been arrested and flipped. By the time he logged back on to Twitter he was an active asset of the FBI.

The game had been up for Sabu since June 2011 at the latest. His identity had been well and truly exposed, with multiple pastebin posts unmasking him.

You would think anyone with half a brain would keep their distance from a high-profile target who was rumoured to be arrested, disappeared for a month, then reappeared.

But no. Everyone stayed tight. That's how the attackers allegedly behind the HBGary Federal attack, Stratfor's mail leak, the law-enforcement con call wiretap and attacks against Sony Entertainment have all wound up in the clink.

None of this matters. The real play here could be for Wikileaks and its founder Julian Assange.

We know these are the people who stole Stratfor's e-mail. This is the e-mail Wikileaks recently began publishing and releasing to its "media partners". We also know that this particular group of hackers had been completely and utterly compromised by the FBI.

Is it possible that the idea of passing Stratfor's mail on to Wikileaks, instead of just publishing it to the Internet, was in fact the FBI's idea? This group published HBGary's stolen mail directly to the Internet, why change now? Could it be that Sabu, at the behest of the FBI, was advocating a different approach?

You would think that the negotiated handover of illegally obtained data could open up all sorts of conversational possibilities. If a Wikileaks staffer asked these anon contacts to illegally obtain more information from other targets, I imagine that would be legally problematic.

The trick for the US Department of Justice could be trying to portray Wikileaks as the document laundering arm of Anonymous.

You can bet your bottom dollar that any communications between Wikileaks and this group were monitored, but it will be some time before we know if prosecutors can make hay from them.

Listen to Wired.com's news editor Kevin Poulsen discuss the Stratfor email dump. (24 mins in.)

Patrick Gray on Twitter.