Podcasts

In this week's feature interview we're chatting with Gartner Research Director Andrew Walls about a fascinating research paper released by Microsoft.

It's called Sex, Lies and Cyber-Crime Surveys [pdf]. It basically says most cyber crime surveys are misleading.

Tenable founder and CEO Ron Gula also joins the show to discuss the sudden popularity of so-called cyber insurance in light of the massive number of high-profile attacks that have occurred recently.

Adam, of course, drops in to discuss the week's news headlines, and boy, has it been a busy week!

According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers.

You can read the article here.

We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article.

But the quote that really got me was this one: "[The attackers] leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar."

The report quoted a security expert familiar with the investigation as saying "it would have been hard to prepare for this type of vulnerability" and this attack is only one of a "wave of more and more sophisticated breaches by hi-tech thieves".

Now I've tested a few Web apps in my time as an information security consultant, so I guess I am moderately sophisticated with these here com-putars by the standards of The New York Times, but as far as I can tell the OWASP Top 10 Number 4: "Insecure Direct Object Reference" is a fancy way of saying "herp a derp, lets put the account number in the URL bar, and just hope no one increments it".

So lets just come right out and say it: If this NYTimes piece is correct, these are not sophisticated attacks.

Sony getting SQL injected? Not sophisticated. Citi account-in-the-URLbar? Not ingenious.

The sad thing is nearly every in the wild, for actual profit cyber-crime is carried out using bog-standard, basic flaws that have been well understood, documented, taxonomised, discussed, weaponised and used in the wild for years.

Anyone from a 13 year old kid to the Russian mafia can and will break into almost anything in minutes using common garden flaws that even the slightest attempt at planning an approach to the foothills of the snowy, cloud-lost peaks of Mt Best Practice would have spotted.

If, as per the reports, Citi got 200,000 customer records stolen through changing the account number in the URL string, then it's almost certain it never got that Web site tested for security.

Can we all just say that out loud? It's possible that the world's largest financial services network didn't get this system tested for security.

The NYT breaks it down for mom-n-pop: "Think of it as a mansion with a high-tech security system -- but the front door wasn’t locked tight."

No: They. Didn't. Test. It.

Hell, even if you fired an automated webappsec tool at something like that, you'd find it. Same as with all Sony's SQL injection. These are not "high-tech security systems" that aren't "locked tight". If the NYT report is accurate, this is straight out negligence.

In Maine last week, the judge in the case of Patco vs Ocean Bank concluded "the law does not require the bank to implement the 'best' security measures available and that the bank is clear to customers when they sign up about the level of security it provides".

Sure, perhaps expecting diamond-studded RSA tokens when you sign up for Internet banking is a bit much, but how about basic security testing?

Companies like Citi aren't the only class of sinners. Recently a large, name-brand software vendor admitted to our mutual customer that it, too, had never actually commissioned external penetration testing of its security focused product.

The product is marketed as an enabler of robust multi-tenanted security boundaries. The software maker had never tested it: "Nope, not at all, why do you ask?"

One of the bugs involved just typing the name of another customer into an input box, instead of clicking your own from a list.

Or perhaps you'd like more irony? How about arbitrary file read via ../../../ in the URL bar in Trend Micro's "Data Loss Prevention Virtual Appliance"?

Your bank gets owned because computers are sophisticated. Computers are hard. Building, deploying and maintaining secure business computer systems is fiendishly hard.

But, NYTimes, don't tell me that Citi lost 200,000 customers worth of information because of a sophisticated attacker. Tell me the truth: it lost the information because it failed to test its systems. It failed to take even what limited basic options we as an infosec industry can offer -- the OWASP Top 10, some basic Web app penetration testing, and perhaps hiring a security consultant who might better prepare the company against an earth-shatteringly sophisticated attack involving the alteration of an account number in the URL bar.

TL;DR Typed account number into browser, owned bank.

Editor's note: The funny thing is we hear good things about Citi's in-house pentesters. Either the NYTimes article is incorrect, or somehow this bug just slipped through to the keeper. We have no idea. It's hardly the point: Even if Citi didn't get owned this way, plenty of others do and it makes us all very sad pandas at Risky Business HQ. :'(

In this week's feature interview we're chatting with Neal Wise of Assurance.com.au about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not.

In this week's sponsor interview we're joined by Astaro's director of Support Alan Toews. We're talking about the silver lining to all the chaos out there at the moment -- does the awareness raised by the actions of groups like LulzSec offset the harm they cause to their victims?

Adam Boileau, as usual, pops in to discuss the week's news.

Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold.

So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others.

They're posting proprietary developer code. They're bringing back Tupac and Biggie. They're advising Nintendo on more secure httpd configurations. And they're issuing funny press releases via Twitter and Pastebin.

In the last few weeks these guys have picked up around 96,000 Twitter followers. That's 20,000 more than when I looked yesterday. Twitter has given LulzSec a stage to show off on, and showing off they are.

The Internetz, largely, are loving it.

It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts.

I wrote my first article on information security around May 2001. It was about the Sadmind worm and it ran on the letters page of the IT section of The Age newspaper in Melbourne.

"Geez," I thought to myself. "If awareness isn't raised about the unsuitability of these computamajiggies for srs bizness, we could encounter some problems down the track."

So for the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea.

No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak.

Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!"

There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us.

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

The mainstream media are having fun criticising Sony for its poor security, but do we honestly think for a second that the XBox Live network can't be similarly pwnt? (I know the PSN breach hasn't been pinned on LulzSec, but the point stands.) Is there any target out there that can't be "gotten"?

State-sponsored attackers, likely Chinese, have even wormed their merry way through the networks of the US military industrial complex, buggering off with the blueprints for the next Lockheed Martin death-ray-lasermatron or similarly diabolical, geo-strategically altering super-weapon.

Yay! Human rights abusers with US-designed military technology! w00t w00t!

Thanks, RSA. <3

Don't even get me started on them. As BlackHat organiser turned US Department of Homeland Security advisor Jeff Moss Tweeted yesterday, "When I heard RSA had a shiny new half million dollar HSM to store seed files I wondered where had they been stored before".

We're relying on these boneheads to lock down our most sensitive R&D? Shoot me now.

What about privacy? Oh, well that's out the window too. Did you hear Facebook has facial recognition now? Great, huh? Plus the bloatware that is Facebook's Web application is full of bugs anyway, so we really do just have to assume all our Facebook accounts are pwnt. Our telcos are owned, our mobile devices track us, as the iPhone/Android tracking scandal showed us. Privacy is dead.

So why do we like LulzSec?

"I told you so."

That's why.

Check out the latest Risky Business podcast here.

On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs?

A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE.

It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF.

Bug hunter extraordinaire, Azimuth Security's Mark Dowd, joins us after the news to chat about that. We'll also have a quick chat with Josh Corman, an analyst with 451 group in the USA and co-founder of the Rugged Software initiative.

Adam Boileau, as always, stops by for a check of the week's news headlines.

On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google.

The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments?

This week's edition of the show is brought to you by NetWitness. Eddie Shwartz will be along after this week's feature interview to discuss the role of vendor marketing in making our situation worse. It's the job of marketing and salespeople to dazzle executives with bulldust -- but is it driving enterprise security investment in the best direction? Find out in this week's sponsor interview with Eddie Shwartz.

Adam Boileau stops by for a look at the week's news.

Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. We've already posted two interviews with Microsoft peeps about security issues, but we're posting this full talk as well.

Maarten Van Horenbeeck works in the Microsoft Security Response Center managing Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams.

This talk is about how Microsoft applies ratings to its product vulnerabilities... there are a bunch of ratings systems out there... Maarten covers off some of these and discuss how MS boils down its own scores. I hope you enjoy this talk.

This is a full presentation by AusCERT's day three keynote speaker Ross Anderson.

Ross has kindly allowed us to podcast his entire talk.

Ross is professor of security engineering at Cambridge University, and author of the bestselling textbook "Security Engineering: A Guide to Building Dependable Distributed Systems". He was a pioneer of peer-to-peer systems, of hardware tamper-resistance, and of the economics of information security.

Ross will discuss the economics of information security in two contexts: frauds against payment networks, and the resilience of the Internet. The talk will draw on a recent major study Cambridge did on the resilience of the Internet.

Tony Oliver and the Pubcast crew interviewed me about the talk I did at ITWeb's Security Summit in South Africa the other week.

My talk was all about militarisation trends in the digital security field. I drew parallels between the Cold War and what's happening now. You can find it here.

Thanks to Tony and the rest of his gang for having me on their show. It's good to be on the other end of an interview every now and then!

You're about to hear one of the highlights of AusCERT's annual conference -- the speed debates! Not to be taken too seriously, the speed debate happens at the end of the con -- it's a chance to have a laugh and shed some lighter perspectives on the security discipline.

It's hosted by Australian broadcaster and journalist Adam Spencer. I hope you enjoy it.