Podcasts

This week's show is hosted by Vigabyte and sponsored by Sophos. You'll hear from Sophos's Paul Ducklin later on in the show in this week's sponsor interview.

This week's feature interview is with Chris Eng of Veracode, and we'll be chatting about his analysis of a nasty bit of blackberry spyware that was pushed out to all blackberry users on UAE-based carrier Etisalat.

And of course we're joined by Adam Boileau for a discussion of the week's news.

This is the final of our podcast series recorded at Shaka Con. From next week on RB2 you'll hear reports prepared by our roving reporter Paul Craig on location at New Zealand's OWASP day.

Shaka Con is a hacker conference held annually in Honalulu, Hawaii, and as you'll hear, the conference didn't limit itself to digital security. Lock picking aficionado Deviant Ollam was there to give a talk all about locks and curiously, how to fly with locked luggage.

If you've travelled within the USA you may have opened up your bags one day to find a friendly note from the TSA telling you they have searched your bag for your safety.

Well, as it turns out, there's a way to legally fly with a locked bag. It involves flying with firearms. Only in America, folks.

Risky.Biz's own Paul Craig caught up with Deviant at Shaka Con and filed this interview.

The website has finally blocked private rental listings in order to stamp out fraudulent listings that have fleeced its unsuspecting customers for thousands over several months. It's something, but it's way too late. This is what the company should have done in May when it first got wind of the problem.

Instead, it tried to spin its way out of trouble, enlisting the help of PR company Red Agency to handle this Website's enquiries.

Domain.com.au refused interviews. Domain.com.au knew its customers were losing money to criminals. Domain.com.au chose to do virtually nothing to stop it.

In response to these Risky.Biz articles that first exposed the fraudulent activity in May and June (1 and 2), Risky.Biz received an oh-so-chirpy e-mail from Red Agency on June 19. It informed Risky HQ that a "new security policy, accessible through various links on the site," had been written and published!

What a relief! Problem solved!

Not only that, but the company had used the most advanced "hyperlinking technology" through some new-fangled thing called HTML to link users to the fraud-defeating, magic security policy. I mean, wouldn't YOU click on a link to a security policy that was presented to you in eight-point font on a contact form?

Domain also wrote a blog post warning its users about fraud and ran it on the Domain.com.au blog. Here's a fun game: see if you can find it.

One thing we could certainly find were the graphics on the front pages of The Age and Sydney Morning Herald online that screamed words to the effect of "Apply for rental properties online now on Domain.com.au!". These were running the day the blog post went up. How deliciously ironic.

The Age and SMH are owned by Fairfax, which also owns Domain.

The thing that really cracks us up here at Risky.Biz is this excerpt from the SMH article we linked to in the first paragraph:

The general manager of key categories, Tony Blamey, said the company received reports of the scam in the past two weeks.

Sorry Tony, but we're calling bullshit on that one. Domain has known about this since mid May at the latest.

The new package, nmap 5.0, includes Ncat, billed as a "a much more advanced and modern reimplementation of the beloved Netcat". Also included is Ndiff, which is designed to portscan networks and alert administrators to changes.

Lyon decided on a "surprise release" of the new nmap network scanner to avoid deadline pressure. "It is very hard to predict software release dates, especially open source," he told Risky.Biz before the launch. "So rather than keep giving dates and missing them, I just keep my mouth shut and then release suddenly when it is ready."

The new and improved tool had been through an extensive beta phase before the final release hit the nmap website at 9am Pacific time in the USA.

"Really, when you get into the double digits with your beta release counts, that's a good sign to say maybe you should release a non-beta version," Lyon says. "Otherwise you end up in perpetual beta like Google."

The new version is available here.

Adam Pointon, a Melbourne-based CSO and former penetration tester, was given the opportunity to preview the new nmap. "Ncat is sweet... I'm going to alias nc to ncat," Pointon says. "With most systems using or enabling IPv6 these days, it fills the gap in the toolset... and will replace the need for multiple tools working together, such as netcat, zebedee, stunnel or s_client."

The connection-brokering and I/O redirection features make it even richer, and innovative in IPv6 land, Pointon added.

Nmap was first released in 1997 and has become the de facto standard port scanning utility for penetration testers and network administrators.

It's also cracked Hollywood. During a scene in The Matrix Reloaded the movie's character Trinity is shown using the software while hacking into a power station's control systems.

Want more exclusive security news? Sign up for our weekly newsletter here. Create an account to post to our forums!

On this week's show we're joined by semi regular guest Adam Pointon. Adam's the CSO for a financial services company, so he has a fair bit of insight into both security technology and market-based technology. You may have heard by now that investment bank Goldman Sachs has claimed its trading algorithm has been stolen by one of its developers. Why is this a big deal? How would possession of that algorithm be advantageous to an attacker? Adam joins the show to tell us.

We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as you'll hear.

We have a special news guest this week, too -- iDefense cybercrime analyst Kimberly Zenz.

F-secure flew its chief research officer, Mikko Hypponen, out to Australia last week to meet the press. The company hosted an event -- the F-Secure Future of the Digital Economy Forum -- and invited a bunch of very interesting panellists to discuss the state of information security today. They asked Risky Business to moderate and record the session.

The panellists were:

• Mikko Hypponen, chief research officer, F-Secure
• Graham Ingram, managing director of AusCERT
• Neil Gaughan, national manager of the Australian Federal Police's High Tech Crime Operations
• Nick Abrahams, national leader of Deacons' technology, media & telecommunications group
• Michael Lonie, policy manager for the Australian Retailers Association
• Crispin Tristram, consumer online general manager for Singtel Optus

In the interests of disclosure, Risky Business was paid to moderate and record this event.

It was a genuinely interesting discussion, and we're podcasting the whole thing, more or less unedited. So here it is -- last Wednesday's F-Secure future of the digital economy forum, held at the ocean room at Sydney's overseas passenger terminal at Circular Quay West. Enjoy.

First, Diebold warned Russian banks about malicious code installed their machines last January. Then in May, Trustwave reported on malware found on 20 ATMs in Russia and Ukraine, the earliest of which was first infected almost exactly two years ago, and which has been improved at least 16 times since then.

Now Belorussian ATMs face another wave of malicious code, infecting what appears to be a high number of ATMs in urban areas.

In the Belorussian case, victims attempting to withdraw funds first see an English-language message "please wait," after which victims are informed the money requested can not be provided due to insufficient funds.

The requested amount is then debited from their balance the next day.

Some users also report the remaining balance of their accounts disappearing the next day. Others report similar issues when attempting to pay with their debit card in a store. In addition to the problem that this presents in and of itself, anecdotal reports by Belorussian bloggers suggest that the code is quite widespread, especially in the capitol Minsk.

Exacerbating this is the response by the affected banks, confirmed to include the country's four largest, and the government, which is generally responsible for all forms of security in "Europe's last dictatorship".

As with the other Eastern European ATM troubles, the attackers in the Belorussian case must have access to the machine, suggesting insider involvement.

All of the ATMs thus confirmed infected belong to banks which have contracts with Belorussian Processing Center (BPTs), which would lead one to conclude the insider had access there. This is impossible to confirm, however, as the banks are silent and BPTs denies their machines are infected at all, insisting instead that the missing funds were caused by a "technical failure," and subsequently "defective software". BPTs went so far as to tell reporters on June 5th that these technical issues had been resolved, but victims continue to report lost funds.

The state (which controls one affected bank, the dominant Belarusbank), has been equally unhelpful. Two weeks ago it announced that it broke up nine groups of "international cyber criminals" targeting ATMs (and that such fraud, which they are on top of, is responsible for 96% of all cybercrime in the country. One supposes that state-sponsored attacks on opposition news outlets are not included), but nothing directly related to the current losses.

Last week's Ministry of Internal Affair operational meeting discussed cybercrime as well. There is no known law enforcement involvement, although it is possible that police and the banks are working behind the scenes to patch the ATMs and catch those responsible, albeit ineffectively

Secrecy and ineffectiveness is not restricted to cybercrime in Belarus, a situation reflected in a belief voiced by some victims of the ATM malware that the state was in fact stealing the money itself to fill holes in the budget brought about by the economic crisis.

While it is not the author's opinion that the state is responsible for the thefts, it does reflect the public's opinion of both their honesty as well as their capability to address the problem.

This is a problem for Belarus to be sure, but it is also a problem for those of us in wealthier countries. It is a common practice for cyber criminals in the Former Soviet Union to test and perfect new tactics or malcode closer to home, where they know the system better and are safer from investigations.

There is no reason to think that ATM malcode would be any different. True, insider access is necessary at this point, and that may be easier to obtain in Eastern Europe, but it is possible to get elsewhere, and, as Trustwave found, improvements are constantly introduced. That the Belorussian malcode uses English as its language and not Belorussian or Russian suggests that its creators may have similar plans.

Kimberly Zenz is an analyst with iDefense. She specialises in the analysis of cybercrime in the former USSR.

Want more exclusive industry news and analysis? Sign up for our weekly newsletter here.

Customers of the MessageLabs spam filtering and e-mail security service have been unable to send to Windows Live accounts, such as Hotmail addresses, since Friday.

UPDATE (14:38): The ban does not appear to be affecting all MessageLabs customers as initially reported. Some customers who route their out-bound mail through US-based MessageLabs servers appear affected, but Risky.Biz has identified at least one customer, routing through Asia-Pacific ML servers, that is not affected. Looks like it's just some of the US-based MTAs that are blocked.

"We have been recently made aware that Windows Live has implemented a block on our IP address," reads an automatically generated email from MessageLabs in response to support requests. "We are in the midst of engaging their support teams to reach a resolution on this case."

Risky.Biz has confirmed the block is still in place after three days. The 4th of July weekend in the USA is no doubt hindering efforts to remedy the situation.

Automated 'bounce' messages from Windows Live Servers state the ban was imposed because MessageLabs email servers "exhibited namespace mining behaviour," which is commonly associated with spamming.

MessageLabs, which is owned by security software maker Symantec, is a popular service among enterprise customers. In Australia its client list includes insurer QBE, Westpac Bank, Colonial First State, 172 local governments in New South Wales, the NSW health department and airline Virgin Blue.

Many MessageLabs customers use the company's service to handle both inbound and outbound email messages for compliance reasons.

Spokespeople for both MessageLabs and Microsoft were unable to comment at the time of writing.

Want more exclusive security news? Sign up for our weekly newsletter here. Get news, podcast links and summaries, jobs and more.

FULL DISCLOSURE: Both Symantec, the owner of MessageLabs, and Microsoft are Risky Business sponsors.

This week's edition of Risky Business is hosted by Vigabyte virtual hosting and brought to you by Check Point.

On this week's show we'll be joined by Gartner analyst Andrew Walls, who's got some less than reassuring things to say about the security of your job in the long term. Apparently the great big destructive meteor, "outsourcing," is about to collide with planet infosec, and when that happens it'll be grim indeed.

We'll also be joined by Steve McDonald, Check Point Australia's Engineering Services Manager, to discuss a softening in the stance of security companies when considering hiring people with a dark past. With guys like Jeff Moss on DHS advisory panels, can we still expect to hear the CEOs of large companies tonking on about how they "don't hire hackers"? Or will they just look a little bit backwards if they do.

Adam Boileau, as usual, joins the show to discuss the week's news stories.

This podcast is a ripper, it's a presentation by Andrea Barisani and Daniele Bianco.

RB2 correspondent Paul Craig was in Hawaii last month for the ShakaCon security conference and he recorded this talk, which looks at side channel attacks using optical sampling of mechanical energy emissions and power line leakage.

What does that mean? Hackers with freakin' laser beams on their freakin' heads is what it means. These guys have developed techniques for sniffing keystrokes out of power lines and via laser beams... you know, the ones on their freakin' heads!

When you're done listening to this, you can download an interview Paul Craig did with these guys about their talk. It's all on RB2!