Podcasts

This podcast entirely consists of a sponsored interview with Symantec's director of Security Response, Vincent Weafer.

We're absolutely stoked to have Symantec on board -- with them sponsoring we now have the means to expand what we can offer you on Risky.Biz.

Thanks to this relationship you'll be hearing regular podcasts from our new RB2 reporter, Paul Craig.

These sponsored podcasts are a way for Symantec to get out there and talk about topics it knows well. Let's face it, they've been in anti-malware since the woolly mammoths was a common form of transport and following its acquisition of MessageLabs, Symantec is a big player in Anti-Spam as well.

So I got Vincent on the line and we talked about everything from Gumblar to the latest trends in spam, to the US Federal Trade Commission's role in shutting down rogue service provider 3FN. Enjoy!

In this episode of RB2 you'll hear a keynote from the Shaka Con security conference in Hawaii. BT security consultant Luck McComie discusses various methods of getting around corporate defences, both physical and digital. The talk is about corporate espionage, and it's well presented.

Luke is a senior staff member (goon) at the DEFCON Security Conference and also contributes to several computer security organizations including the r00tcellar Security Team, 303 and Security Tribe.

In this interview Risky.Biz reporter Paul Craig talks to BT security consultant Luke McComie about corporate espionage. Luke presented a keynote on the topic at the Shaka Con conference in Hawaii.

Throughout that presentation we heard how corporations don't adequately secure their physical environments, and this can lead to some pretty nasty consequences as far as information leakage goes. We heard Luke tell some war stories about slipping past security guards in that one.

So we heard about the victories, but in this interview Paul asks Luke to explain some of his more epic failures while doing the same.

This week's show is a cracker -- we have a very special guest, Senator Stephen Conroy.

The senator is Australia's Minister for Broadband, Communications and the Digital Economy and I caught up with him in Sydney last week to get his take on what he feels the role of government is when it comes to IT security.

We're also joined by Sydney-based security consultant Jason Edelstein who'll be chatting about telephone-related fraud. US authorities have just busted up a massive ring of phone fraudsters with links to Islamic fundamentalists, of all people. Over a period of years they hacked into more than 2500 systems and resold access via calling cards.

Apparently that netted them an estimated $55 million, which is certainly better than a kick in the proverbials.

We'll also check in with Stuart Strathdee from Microsoft. Stu's popping in to talk about 0day. There have been some really scary 0day bugs in Microsoft products lately, and Stuart pops by with his take on the situation.

He argues that office 0days are actually pretty far down on the ye olde risk register.

And of course we check of the week's news headlines with our good friend Adam 'Metlstorm' Boileau!

If you'd like to leave us some audio feedback, to be used in the Risky Business podcast, call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

Fraudsters are placing fake rental property listings for affordable apartments on the Domain site. Upon contacting the purported landlord, would-be renters are instructed to transfer money offshore in exchange for apartment keys that will never arrive.

The 'landlord' claims to have moved to Italy, but promises to send the keys along with the lease when a bond is received in escrow. If the would-be renter doesn't like the apartment after using the keys to inspect it, they are assured their money will be refunded. There are, of course, no keys.

Or apartment, for that matter.

"I have found a procedure that will allow us to make a fast and safe deal and through this way you will see [the apartment] and decide if you will stay in the apt or not before I receive my payment," one of the scam e-mails reads. "In this way you will receive the keys in less than two days, if you move fast as well."

The wire transfer the fraudsters instruct their marks to use, conducted through Western Union, is irreversible and final.

Since Risky.Biz first exposed the current incarnation of the rental scam in May we've received e-mails and phone calls from several victims.

Nadine was taken for $8,000 in two transfers. After she'd sent an initial amount, the fraudster's managed to coax thousands more out of her with the promise of a budget lease.

Mohammad, a foreign student based in Hobart, lost $2,000. "I don't know what to do," he told Risky.Biz Friday last week. "I'm alone and I don't have any money... I'm homeless."

Risky.Biz referred Mohammad to the Tasmanian Fraud Squad.

As recently as this morning we received a telephone call from a Domain.com.au user in Brisbane who was almost taken in by the scam. There have been several of these. Many of these users were only aware of the scam because they stumbled on Risky.Biz's coverage of the scam.

"I am currently looking for an apartment in Sydney and came across a deal which sounded too good to be true - and it was," wrote Sydney renter Paul Geddes. "My suspicions were confirmed by... coming across an article posted on your site on May 15th.... So thanks to and all involved for the alert."

Why is Risky.Biz and online fraud websites the only source of information on the scam? Why aren't users finding out about the fraud from Domain.com.au itself?

Through its outsourced spin team, Red Agency, Domain.com.au says it's introducing a series of warning pages designed to combat the fraud.

How can this be taking so long? Why is this not the company's top priority? Can it really take five weeks to introduce a splash screen? Why won't the company identify the manager responsible for combating this type of fraudulent activity and make them available for an interview? Is anyone in charge of combating fraud?

The team at Fairfax Digital should be forced to speak to the victims of this fraud. It's heartbreaking. Most have borrowed money to pay for the bond and advance rent on their exciting new apartment. Instead of a new lease, however, they're left in debt and homeless.

Even worse, they're left feeling foolish.

The appropriate response, in the view of Risky.Biz, would be to send a press release and make some noise. Warn users. Get as many spokespeople in front of as many media sources as possible. The media is the perfect conduit through which warnings like this can be distributed.

Some companies are mature enough in their approach to do raise the alarm bells themselves. As Australia's Commonwealth Bank was being hammered by a series of phishing scams targeting its users last month it introduced a splash screen shown to every user every time they logged in warning them of the scam.

Admittedly the bank has more skin in the game than Domain.com.au -- direct losses through phishing -- but it's the view of Risky.Biz that organisations should protect their customers' money as if it were their own.

There is no downside to that approach. Instead, Domain.com.au is circling the wagons and dragging its feet.

It's not good enough.

Want more exclusive security news? Sign up for our newsletter here. You'll receive a weekly dose of written news, podcast descriptions with links and even infosec jobs.

This week's episode is hosted by Vigabyte and brought to you by Tenable Network Security.

On this week's show we're looking back at an issue we covered a little while ago: PLAID. No, not the oh-so-groovy pattern, but Centrelink's home-baked authentication protocol.

PLAID is a contactless smart card authentication protocol designed by Australia's welfare agency and released a couple of months ago. They're hoping to have it recognised as an ISO standard, but not everyone's convinced that's a good idea.

We'll be hearing from the University of Auckland's Peter Gutmann. He's a bit of a rockstar in the smart card and crypto fields, and he's had a look at the supporting documentation released by Centrelink and isn't too impressed.

It might sound like an Australia-centric story, but it's not. This is a fascinating case-study-in-progress for anyone considering doing this sort of wheel reinvention project.

In this week's sponsor segment we chat to Marcus Ranum about the liability chain when data leaks.

Securus Global's Declan Ingram joined host Patrick Gray at the pub to discuss the week's news headlines. Sorry about the background noise!

This week's show is hosted by Vigabyte and brought to you by Sophos.

On this week's show we chat to an industry pioneer, Nir Zuk. He's widely credited as the creator of the first stateful inspection firewall.

These days he works for the company he founded, Palo Alto Networks. We're chatting to Nir about his thoughts on security technologies -- everything from firewalls to IDS to DLP.

Nir is a very sharp cat indeed, with a lot to say about the direction security tech is headed. He tends to push his own agenda a bit in terms of talking up his firewall approach, but he has heaps of interesting stuff to say on other topics.

In this week's sponsor interview we chat with Paul Ducklin about an old debate -- is open source better for security? It was a topic we touched on briefly in the AusCERT speed debate, which, incidentally, is available for download in our Risky Business 2 channel. We both thought it was a topic worth expanding on. It's an interesting chat and it's coming up soon.

Adam Boileau is the week's news guest.

The Computer Network Vulnerability Assessment program was designed to "to help organisations that own or manage critical infrastructure test the security of their computer networks and systems".

To date, 32 CNVA projects have been approved with 30 projects proceeding.

Projects have been undertaken in the banking and finance, energy, food chain, health, transport and water sectors, a spokesperson from the Attorney General's department says.

The program will be suspended on July 1 "pending review".

Launched in 2004, the CNVA aimed to assist those maintaining critical infrastructure in identifying key weaknesses in their security. Yet to date, the Attorney General has doled out just $2.2 million through the scheme.

Still, the department insists the program may see a second rising.

"The CNVA program is likely to be re-activated in the future, however no decision has been made on timing," the spokesperson says.

One penetration tester interviewed by Risky.Biz wasn't surprised. He says the "refund" nature of the subsidy often made applying for the grants more trouble than they were worth. "It didn't align with organisations' typical procurement processes," he says.

The program identified critical infrastructure as "physical facilities, supply chains, information technologies and communication networks which if destroyed, degraded or rendered unavailable for an extended period would significantly impact on the social or economic well-being of the nation".

Our thanks to Drazen Drazic for bringing this story to our attention.

Despite mounting risks on an information superhighway jammed up with malware, 419 scams, phishing and credit card fraud, the number of 'net users is still growing rapidly.

All the way back in 1998, America's National Institute of Standards and Technology (NIST) categorised and analysed 237 computer attacks. The results of that analysis revealed such pearls as:

• 3 percent of the attacks enabled web sites to attack site visitors
• 4 percent of attacks scan the Internet for vulnerable hosts
• 5 percent of attacks are effective against routers and firewalls

These figures tell us that surfing the internet, even back in 1998, was not a risk free activity.

But today, the numbers are out of control.

Recently the Pentagon confirmed 360 million attempts to penetrate its networks throughout 2008.

Sure, a lot of that is probably malware background noise, but a million intrusion attempts a day is noteworthy, regardless of whether they're automated or not.

The CERT Coordination Centre at Carnegie Mellon says catalogued vulnerabilities have increased from 171 in 1995 to 7236 in 2007, and to me even that sounds like the tip of the iceberg.

It doesn't stop there. The Anti Phishing Working Group tells us the number of websites infecting PCs with password-stealing 'crimeware' reached an all time high of 31,173 in December 2008. This was an 827 percent increase from January 2008, and again, probably a conservative, tip-of-the-iceberg estimate.

Things have changed a bit since the first ever Australian phishing investigation. In April 2003 we were notified of the existence of a dodgy looking Commonwealth Bank website. It seemed pretty interesting at the time, but today authorities hardly clamour to get involved in phishing investigations. The crime is too common and too hard to investigate.

Along the way there have been numerous vendor, CERT, academic and government inspired surveys and reports, which all point to one thing
-- increased risk.

But what has all this doom and gloom resulted in? The OECD informs that from 2000 to 2007 there has been a 256 percent global increase in the use of the Internet, with take up now standing at 20 percent of the world's population (or 58 percent penetration for OECD member states).

Facebook (in operation since 2004) has 200 million active users with 100 million of these people logging in at least once a day.

The threats just aren't scaring away users.

So why do we need all these numbers?

Alas statistics are the only true way to analyse effectiveness and compare results. As a forecaster I would say (from summarising this collection of data) that threats will continue to increase, but so will the number of Internet users. It's somewhat counterintuitive, but there you go.

As a global economy and more importantly as a global industry we do need to record and analyse these statistics related to IT security. But the more interesting line of inquiry is what you do with such alarming numbers when the average internet user just doesn't seem to care about escalating risks?

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.

This week's episode is hosted by Vigabyte and brought to you by Check Point software.

This week you'll be hearing an interview with Roelof Temmingh, the creator of Maltego. Maltego is seriously cool software that you'll probably want to have a play with.

Roelof joins the podcast to talk about how you'd use his softeware to pwn a three letter agency.

In this week's sponsor interview Check Point Software's Steve McDonald joins us to discuss how vendors might create very specific kit for very specific problems. Think of SCADA firewalls and boxes designed to prevent voip toll fraud, stuff like that.

Are mega specific solutions a band aid approach and a terrible idea, or are they better than nothing?

As for this week's news, we all know him, we all love him and his beautiful, lusturous, soft, soft UNIX beard. Adam 'Metlstorm' Boileau joins the program, as usual, to chew the fat and discuss the last week's big headlines.