Podcasts

The Australian government has announced the establishment of the Council of Registered Ethical Security Testers, or CREST.

CREST is a pretty big deal in the UK. Over there it's an extremely serious series of tests that can give hiring organisations a semi-reliable indication that a tester knows what they're doing. If you don't have your CREST certification, there's work you simply can't do.

But who knows what it'll morph into here -- the jury isn't just out, it hasn't even been empanelled yet. Government involvement isn't usually a good start.

You can read the Attorney General's announcement here.

Interesting to note that former Australian Federal Police agent (that was years ago now) Alastair MacGibbon is the CEO of CREST Australia.

He has zero background in security testing but his appointment makes sense -- it wouldn't be politically possible to appoint a CEO from a professional services organisation.

This way there's no conflict of interests.

On this week's show we're catching up with Mr. Popular himself, Adrian Lamo.

Adrian is best known as the guy who turned in alleged Wikileaks source Bradley Manning, but he also has some very interesting perspectives on the LulzSec arrests.

This week's show is sponsored by Tenable Network Security! In this week's sponsor interview Tenable product Manager Jack Daniel will be along to chat about a recent Tenable Webinar that was all about the internal politics of security. If you're struggling to get your colleagues on side, you want to listen to that interview!

Adam Boileau, as always, joins the show to discuss the week's news.

Global law enforcement swooped overnight, arresting a handful of online miscreants who, between them, have generated more headlines than the rest of the online underground put together.

That's right, LulzSec has been comprehensively pwnt. Some were arrested yesterday in raids, others, arrested some time ago, had their indictments unsealed by the courts.

But it was the news that online Anonymous hero Sabu, aka Hector Xavier Monsegur, had been acting as an FBI snitch since August 2011 that came as a shock to many.

It shouldn't have.

Back in September 2011, Sabu returned to Twitter after a one month hiatus as rumours of his arrest swept the Internet. He had indeed been arrested and flipped. By the time he logged back on to Twitter he was an active asset of the FBI.

The game had been up for Sabu since June 2011 at the latest. His identity had been well and truly exposed, with multiple pastebin posts unmasking him.

You would think anyone with half a brain would keep their distance from a high-profile target who was rumoured to be arrested, disappeared for a month, then reappeared.

But no. Everyone stayed tight. That's how the attackers allegedly behind the HBGary Federal attack, Stratfor's mail leak, the law-enforcement con call wiretap and attacks against Sony Entertainment have all wound up in the clink.

None of this matters. The real play here could be for Wikileaks and its founder Julian Assange.

We know these are the people who stole Stratfor's e-mail. This is the e-mail Wikileaks recently began publishing and releasing to its "media partners". We also know that this particular group of hackers had been completely and utterly compromised by the FBI.

Is it possible that the idea of passing Stratfor's mail on to Wikileaks, instead of just publishing it to the Internet, was in fact the FBI's idea? This group published HBGary's stolen mail directly to the Internet, why change now? Could it be that Sabu, at the behest of the FBI, was advocating a different approach?

You would think that the negotiated handover of illegally obtained data could open up all sorts of conversational possibilities. If a Wikileaks staffer asked these anon contacts to illegally obtain more information from other targets, I imagine that would be legally problematic.

The trick for the US Department of Justice could be trying to portray Wikileaks as the document laundering arm of Anonymous.

You can bet your bottom dollar that any communications between Wikileaks and this group were monitored, but it will be some time before we know if prosecutors can make hay from them.

Listen to Wired.com's news editor Kevin Poulsen discuss the Stratfor email dump. (24 mins in.)

Patrick Gray on Twitter.

This week we'll be joined by Wired.com's news editor Kevin Poulsen for a chat about the big news of the week -- Wikileaks' gigantic dump of private intelligence contractor STRATFOR's allegedly stolen e-mails.

This week's show is sponsored by Adobe, and Adobe's head of product security, Brad Arkin, will be along to discuss the way ISV's view white-hat research. You might love your latest sandbox bypass technique, but he doesn't! That's this week's sponsor interview with Adobe's Brad Arkin.

As always, Adam Boileau stops by for a check of the week's news headlines.

In this week's feature interview you'll hear part two of my interview with In-Q-Tel's CSO Dan Geer. We chat with Dan about electronic surveillance, the state, fascism and even the "digital Amish".

He is, as always, fascinating.

This week's edition of the show is brought to you by Hacklabs, an Australian penetration testing firm. Some homegrown support! Thanks, guys.

Hacklabs very own Chris Gatford will be along in this week's sponsor interview to have a chat about Glenn Mangham, the Brit who's now serving a prison term for hacking Facebook despite his claim to be all very, very white-hatty.

Adam Boileau, as always, checks in to discuss the week's news headlines.

On this week's show we chat with information security legend Dan Geer about traffic analysis and "digital exhaust".

Everything we do online produces a tonne of metadata. What can be inferred through the analysis of this metadata and who's likely to analyse it?

Part one of my chat with Dan Geer is this week's feature interview.

This week's show is sponsored by RSA Security, the security division of EMC.

So in this week's sponsor interview we're chatting with RSA's Mason Hooper about the company's 2012 Cybercrime Trends Report. Is Zeus still Zeusy? Still Godlike? We'll find out at the back of this week's show.

Adam Boileau, of course, drops in to discuss the week's news headlines.

On this week's show we're taking a look at the DMARC anti-phishing effort. we mentioned it on the news last week, but we're going to get into it properly with our good buddy Paul Ducklin. He's along after the news.

This week's show is sponsored by Tenable Network Security.

Tenable's chief executive Ron Gula will be along in this week's sponsor interview to chat about the theft of Symantec's source code. He doesn't think it's a world ender, and you know what, he's probably right! He's along after this week's feature interview.

There's also plenty of news to discuss with our news co-host Adam Boileau!

You can "like" Risky Business on Facebook here.

Find Patrick Gray on Twitter here.

Symantec claims customers using its endpoint protection and antivirus products are not at risk following revelations the company's AV source code was stolen in 2006.

But when it comes to providing specifics, Symantec is guarded.

Following yesterday's blog post, Symantec has claimed recycled source code from its corporate antivirus product of 2006 makes up only 5% of current endpoint protection software.

But it won't say which 5%.

Furthermore, 5% of Symantec's latest bells-and-whistles endpoint security products is a lot of code; basic corporate AV solutions from 2006 were pretty small by comparison to today's bloatware. So it could well be that a large proportion of the stolen code is actually in the current product. THAT's the percentage I'd like to see.

Here's the company's response to yesterday's questions, and below that my lingering unease about the company's answers.

We have definitely analyzed the 5% of the code and have determined it to be benign enough in nature not to present a security threat to current Symantec and Norton users if an attempt was made to exploit it for the purposes of a cyber attack. Furthermore, as mentioned in the previous e-mails, the combination of features in the current Symantec and Norton software would protect customers against an attack. For competitive purposes and protection of our intellectual property, we are not going to get into the specifics of the exact functionality of the 5% of that code.

Given the visibility of this incident, i.e. there is consistent monitoring of our communications by hackers and the Anonymous group, we're hesitant to provide specifics on the size of the code for NAV CE and SEP 10.2 (hence someone may be able to tell what they have or don’t have based on the size alone). However, you are correct that the total amount of code for Symantec Endpoint Protection is demonstrably larger than NAV CE, again, if for no other reasons than to accommodate all of the new features and functionalities layered upon over the previous six years.

More technical readers would know that the claims that extra features in the company's newer endpoint protection software would make exploitability impossible are quite simply bunk.

Sure, they might provide some defence-in-depth protection against malware, but I fail to see how a new, whiz-bang file reputation ranking engine will prevent targeted exploitation of vulnerable AV scanning engine code, for example.

Further, Symantec has stated it analysed the relevant code and determined it's not vulnerable, but won't say which chunks of that code have found their way into current products. Why? Surely if the code is good it can say which component is still being used in current source trees.

Also, calling Anonymous a "group" is a bit silly, especially in this instance as it was a bunch of people calling themselves the Lords of Dharmaraja who claimed credit for the attack. Anons have just been chuckling along with them. For a company like Symantec to conflate this compromise with the activities of a broader meme/movement like Anonymous may be convenient for PR purposes, but it's not really accurate.

So, brass tacks time: It's unlikely the Symantec AV source code that's doing its rounds over the Internet is going to really help attackers out there in a meaningful way. That said, I get the impression that Twitter user @GMKnowBoulder was right yesterday when they said Symantec seems stuck in the "quantum void between the engineering force and the marketing dark side".

So who out there can be bothered bindiffing NAV CE circa 2006 against current endpoint protection products?

Find Patrick Gray on Twitter.

UPDATED WITH COMMENT FROM SYMANTEC BELOW

So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent.

This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source.

In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened.

Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible.

The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well.

When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out.

Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least.

But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying:

To be correct, the code is for Norton Antivirus Corporate Edition, i.e., what used to be used by enterprises. As it is, customers face no security threats if the code is posted. It's a product that is no longer available, supported, or sold.

The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.

That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software?

Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it?

That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers.

I'll be firing off some questions to Symantec PR on this and we'll see what they say.

UPDATE: The PR gnomes at Symantec have issued this response:

"Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.

As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions.

If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code."

I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc.

Will hopefully have an update soon.

Find Patrick Gray on Twitter.

An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems.

The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here.

It’s interesting for several reasons. Firstly, the reason we know about this event is because it was disclosed in the company’s SEC filings. Secondly, Verisign is a very important company when it comes to the issuance of digital certificates. And finally, the story is made all the more fascinating by the vagaries of the disclosure. The filing is a tad light on specifics, like what data was actually "exfiltrated".

It’s also a sad sign of what's become of the technology media. The breach was disclosed in an SEC filing back in October, but has only hit the news now.

Symantec says there's no evidence to suggest the breach affected its SSL systems, which, if true, means the story as reported is a bit of a beat up.

I suspect this breach is unlikely to be of the magnitude of the RSA hack or Aurora attacks against Google. If anything it tells us more about the sorts of disclosures we're likely to see in future SEC filings in the USA.

But who knows? Sometimes these stories are slow burners...

Either way, the fact that no one would be surprised if Verisign's SSL boxes got pwned is proof enough that browser manufacturers need to redouble their efforts in protecting users from man-in-the-middle attacks performed with illicitly issued but "technically legitimate" certificates. I believe Chrome already pins certs for most major websites and IE might already do it too.

What does your gut feel say? Drop us a comment!

Find Patrick Gray on Twitter.