Podcasts

On this week's show we're joined by semi regular guest Adam Pointon. Adam's the CSO for a financial services company, so he has a fair bit of insight into both security technology and market-based technology. You may have heard by now that investment bank Goldman Sachs has claimed its trading algorithm has been stolen by one of its developers. Why is this a big deal? How would possession of that algorithm be advantageous to an attacker? Adam joins the show to tell us.

We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as you'll hear.

We have a special news guest this week, too -- iDefense cybercrime analyst Kimberly Zenz.

F-secure flew its chief research officer, Mikko Hypponen, out to Australia last week to meet the press. The company hosted an event -- the F-Secure Future of the Digital Economy Forum -- and invited a bunch of very interesting panellists to discuss the state of information security today. They asked Risky Business to moderate and record the session.

The panellists were:

• Mikko Hypponen, chief research officer, F-Secure
• Graham Ingram, managing director of AusCERT
• Neil Gaughan, national manager of the Australian Federal Police's High Tech Crime Operations
• Nick Abrahams, national leader of Deacons' technology, media & telecommunications group
• Michael Lonie, policy manager for the Australian Retailers Association
• Crispin Tristram, consumer online general manager for Singtel Optus

In the interests of disclosure, Risky Business was paid to moderate and record this event.

It was a genuinely interesting discussion, and we're podcasting the whole thing, more or less unedited. So here it is -- last Wednesday's F-Secure future of the digital economy forum, held at the ocean room at Sydney's overseas passenger terminal at Circular Quay West. Enjoy.

First, Diebold warned Russian banks about malicious code installed their machines last January. Then in May, Trustwave reported on malware found on 20 ATMs in Russia and Ukraine, the earliest of which was first infected almost exactly two years ago, and which has been improved at least 16 times since then.

Now Belorussian ATMs face another wave of malicious code, infecting what appears to be a high number of ATMs in urban areas.

In the Belorussian case, victims attempting to withdraw funds first see an English-language message "please wait," after which victims are informed the money requested can not be provided due to insufficient funds.

The requested amount is then debited from their balance the next day.

Some users also report the remaining balance of their accounts disappearing the next day. Others report similar issues when attempting to pay with their debit card in a store. In addition to the problem that this presents in and of itself, anecdotal reports by Belorussian bloggers suggest that the code is quite widespread, especially in the capitol Minsk.

Exacerbating this is the response by the affected banks, confirmed to include the country's four largest, and the government, which is generally responsible for all forms of security in "Europe's last dictatorship".

As with the other Eastern European ATM troubles, the attackers in the Belorussian case must have access to the machine, suggesting insider involvement.

All of the ATMs thus confirmed infected belong to banks which have contracts with Belorussian Processing Center (BPTs), which would lead one to conclude the insider had access there. This is impossible to confirm, however, as the banks are silent and BPTs denies their machines are infected at all, insisting instead that the missing funds were caused by a "technical failure," and subsequently "defective software". BPTs went so far as to tell reporters on June 5th that these technical issues had been resolved, but victims continue to report lost funds.

The state (which controls one affected bank, the dominant Belarusbank), has been equally unhelpful. Two weeks ago it announced that it broke up nine groups of "international cyber criminals" targeting ATMs (and that such fraud, which they are on top of, is responsible for 96% of all cybercrime in the country. One supposes that state-sponsored attacks on opposition news outlets are not included), but nothing directly related to the current losses.

Last week's Ministry of Internal Affair operational meeting discussed cybercrime as well. There is no known law enforcement involvement, although it is possible that police and the banks are working behind the scenes to patch the ATMs and catch those responsible, albeit ineffectively

Secrecy and ineffectiveness is not restricted to cybercrime in Belarus, a situation reflected in a belief voiced by some victims of the ATM malware that the state was in fact stealing the money itself to fill holes in the budget brought about by the economic crisis.

While it is not the author's opinion that the state is responsible for the thefts, it does reflect the public's opinion of both their honesty as well as their capability to address the problem.

This is a problem for Belarus to be sure, but it is also a problem for those of us in wealthier countries. It is a common practice for cyber criminals in the Former Soviet Union to test and perfect new tactics or malcode closer to home, where they know the system better and are safer from investigations.

There is no reason to think that ATM malcode would be any different. True, insider access is necessary at this point, and that may be easier to obtain in Eastern Europe, but it is possible to get elsewhere, and, as Trustwave found, improvements are constantly introduced. That the Belorussian malcode uses English as its language and not Belorussian or Russian suggests that its creators may have similar plans.

Kimberly Zenz is an analyst with iDefense. She specialises in the analysis of cybercrime in the former USSR.

Want more exclusive industry news and analysis? Sign up for our weekly newsletter here.

Customers of the MessageLabs spam filtering and e-mail security service have been unable to send to Windows Live accounts, such as Hotmail addresses, since Friday.

UPDATE (14:38): The ban does not appear to be affecting all MessageLabs customers as initially reported. Some customers who route their out-bound mail through US-based MessageLabs servers appear affected, but Risky.Biz has identified at least one customer, routing through Asia-Pacific ML servers, that is not affected. Looks like it's just some of the US-based MTAs that are blocked.

"We have been recently made aware that Windows Live has implemented a block on our IP address," reads an automatically generated email from MessageLabs in response to support requests. "We are in the midst of engaging their support teams to reach a resolution on this case."

Risky.Biz has confirmed the block is still in place after three days. The 4th of July weekend in the USA is no doubt hindering efforts to remedy the situation.

Automated 'bounce' messages from Windows Live Servers state the ban was imposed because MessageLabs email servers "exhibited namespace mining behaviour," which is commonly associated with spamming.

MessageLabs, which is owned by security software maker Symantec, is a popular service among enterprise customers. In Australia its client list includes insurer QBE, Westpac Bank, Colonial First State, 172 local governments in New South Wales, the NSW health department and airline Virgin Blue.

Many MessageLabs customers use the company's service to handle both inbound and outbound email messages for compliance reasons.

Spokespeople for both MessageLabs and Microsoft were unable to comment at the time of writing.

Want more exclusive security news? Sign up for our weekly newsletter here. Get news, podcast links and summaries, jobs and more.

FULL DISCLOSURE: Both Symantec, the owner of MessageLabs, and Microsoft are Risky Business sponsors.

This week's edition of Risky Business is hosted by Vigabyte virtual hosting and brought to you by Check Point.

On this week's show we'll be joined by Gartner analyst Andrew Walls, who's got some less than reassuring things to say about the security of your job in the long term. Apparently the great big destructive meteor, "outsourcing," is about to collide with planet infosec, and when that happens it'll be grim indeed.

We'll also be joined by Steve McDonald, Check Point Australia's Engineering Services Manager, to discuss a softening in the stance of security companies when considering hiring people with a dark past. With guys like Jeff Moss on DHS advisory panels, can we still expect to hear the CEOs of large companies tonking on about how they "don't hire hackers"? Or will they just look a little bit backwards if they do.

Adam Boileau, as usual, joins the show to discuss the week's news stories.

This podcast is a ripper, it's a presentation by Andrea Barisani and Daniele Bianco.

RB2 correspondent Paul Craig was in Hawaii last month for the ShakaCon security conference and he recorded this talk, which looks at side channel attacks using optical sampling of mechanical energy emissions and power line leakage.

What does that mean? Hackers with freakin' laser beams on their freakin' heads is what it means. These guys have developed techniques for sniffing keystrokes out of power lines and via laser beams... you know, the ones on their freakin' heads!

When you're done listening to this, you can download an interview Paul Craig did with these guys about their talk. It's all on RB2!

If you're an avid RB2 listener you would have already heard the ShakaCon presentation by Andrea Barisani and Daniele Bianco on non-conventional keystroke sniffing techniques.

Their presentation was on sniffing keystrokes through powerlines, or alternatively by using freakin' lasers attached to their frickin' heads to detect he sound of keystrokes and then work out what was being typed.

Well, RB2 correspondent Paul Craig was in Hawaii for ShakaCon and scored this interview with the pair, although it should be said that Andrea is the guy who speaks most here. Enjoy.

Security and network device vendor Juniper Networks forced Mr. Jack to cancel his presentation, an anticipated highlight of the Black Hat event, following pressure from the affected ATM vendor. The demonstration would have seen the researcher hack an ATM live on stage, causing it to spit out cash, or "jackpot".

"The affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected," a statement issued by Juniper Networks reads. "Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research."

Risky.Biz understands the ATM vendor had been given notification of the upcoming presentation, and Juniper Networks was initially happy for Mr. Jack to present his research findings publicly.

Security researcher and the maintainer of the Open Source Vulnerability Database, Brian Martin, told Risky.Biz the cancelation of security-themed presentations by researchers' employers is an all-too-common experience. "Why does it come down to the vendor changing their mind or waiting to pressure," he asks. "They knew about the research, knew about the talk."

The latest cancellation echoes a similar event in 2005, when a talk on vulnerabilities in Cisco equipment by Michael Lynn was pulled from the conference by the networking giant in cooperation with Lynn's employer, security software maker ISS, which is now a division of IBM.

In a dramatic twist, Lynn resigned and gave his talk anyway. Ironically, he was hired by Juniper Networks, where he still works to this day.

In 2008 a talk on flaws in Apple's FileVault encryption technology was also pulled following pressure from the computer maker.

A security researcher who did not wish to be named expressed his disappointment at the cancellation. "It is a shame that this work won't see the light of day, at least for now," he told Risky.Biz. "Barnaby has always done great work and it would be great to learn some of his innovative new approaches to attacking systems that we trust with all of our money... plus, it's just damn cool."

Want more exclusive security news? Sign up for our weekly newsletter here. Get your weekly dose of infosec news, opinion and podcasts!"

This week we're taking a look at the technology angle to this whole mess in Iran. We'll be chatting with Arbor Networks chief scientist Craig Labovitz about the filtering the government is doing over there, then we'll be checking in with Roelof Temmingh of Paterva.

Paterva makes Maltego, the open source intelligence tool that many people are using to analyse various aspects of information flow in Iran-- including the spread of propaganda via Twitterbots.

We'll also be hearing from Microsoft's Stuart Strathdee in this week's sponsor interview. He'll be joining us to discuss the company's free Morro antivirus package -- it's software that probably had more anti-trust lawyers involved in its development than actual developers.

Adam Boileau also joins us with the week's news.

Editor's note: We're aware that Roelof's name is mispelled in the headline, but if we change it, it'll break the current URL and cause drama. So we'll leave it for now. But yes, his last name is spelled Temmingh, not Temming. Apologies.

To my eyes Facebook just looked like a badly organized dating club, and the idea of having to fire regular musings out into cyberspace via a blogocannon has never appealed.

Figuring I was just too lazy to sign up for these services, my dear friend offered to register me anyway and just give me the passwords. Being a Google fanboy, he could sign me up as roelof.temmingh on Gmail and connect my newly created Facebook profile to that email account.

That got my attention.

I registered the email myself, quick smart, then some time later I registered my name at Facebook, with no profile information. It was a way to cyber-squat my own online identity.

It seems like a good idea until a colleague pointed out that someone could create a profile in my name that looked more real than my blank profile. Then people would ignore my real Facebook entry and speak to "fake Roelof".

So much for the squatting plans.

So I did what I dreaded doing for a very long time and began populating my details and sending out 'friend requests'. It had the same feeling you get when joining a party where everyone is drunk, you've arrived late and don't know anyone. You know what I'm talking about.

Then the evil half of my brain got busy with hypothetical scenarios. What if I were to duplicate the process for the board members of a large company? I could even set them up with fake LinkedIn details. With a little investigation into their professional and personal life I could pull an Agent Smith and just become them! I could control who their virtual identity speaks to, who their friends are and perhaps later even start issuing press releases from their 'private' accounts. How long will it take before they realise their identities have been stolen?

I once asked the audience during a conference presentation "what's better -- to have a comprehensive profile on the Internet (e.g. be registered on social networks, have your email address known out there etc), or to have nothing about you known at all?"

Since my talk was about open source intelligence most people assumed nothing about you should be known to anyone. But I am not convinced. If nothing about you is known on the Internet it means you give attackers a clean page to work with -- they can cook up anything about you -- and there is nothing to refute their claims.

When phishers still thought that people needed to be convinced of the authenticity of websites, before they realised that people will click on any link, they would register a domain like abc-bank.com when the legitimate domain was something similar, like abcbanking.com. One solution for the banks was to proactively register all possible combinations of their trade name in a domain name.

The registrars sure smiled. It was a bit of a losing battle and the cost of maintaining and renewing all these useless domains was high. I fear that the same scenario is playing itself out in the individual online identity space at the moment.

The real problem we are facing is that we don't a real concept of identity on the Internet. With websites and infrastructure we at least have SSL, which is admittedly mostly useless. Sure, we have class 1 certificates for people, but those just verify a person's email address.

In the past when someone presented you with a hotmail address you would have treated it with a fair amount of suspicion. But those days are gone. Everyone has a Gmail account and it's perfectly normal to send 'official looking' email using these accounts. Hell -- the guys that should be securing our government networks have a public webmail address on the 'contact us' section.

The root of this problem is always the end user. Technically we can solve this problem pretty easily. We'd start an organisation to verify identities of people the same way that Certificate Authorities verifies the identity of a corporation.

We ask for blood samples, retina scans, passports, photos, finger and voice prints. After all that we give them a nice digital certificate that they can use on any online service. Try forging someone's DNA, buddy!

But how many people will use the service? Here is web site A asking for an email address and there is B asking for a certificate verified by blood sample. I think I'd go with option A.

This isn't a technology problem. It's a PICNIC problem -- problem in chair, not in computer. Any website that can convince someone that it would benefit them if they give the site their details will win, and that means online identity will stay fuzzy for the foreseeable future.

Want more exclusive security news, commentary and podcasts? Sign up for our newsletter to receive summaries and links to all Risky.Biz content once a week.