Podcasts

After more than 10 years working for Microsoft, Riley fell the victim to a restructuring program last Tuesday. "As a part of Microsoft's second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended," Riley wrote on his blog. "I'm certainly not disappearing... I'll remain involved in the security industry."

According to his official bio, Riley first joined Microsoft's Consulting Services Group in 1998 before he gravitated towards the company's security consulting practice. Until last Wednesday he'd been working for the company's Trustworthy Computing Group.

UPDATE: Microsoft provided the following response:

"We can't provide comment on specific job redundancies.

As you know, in January, Microsoft announced steps the company is taking to increase efficiency and reduce costs, which included job eliminations, slowing of headcount growth, changes to compensation and other operational spending cuts.

As a continuation of that plan, last week further jobs were eliminated in several areas across the company such as R&D, marketing, sales, finance, legal, HR, and IT, as well as, positions in support, consulting, operations, billing, manufacturing, and data center operations.

While job eliminations are always difficult, we are taking the necessary actions to manage our business appropriately in today's economic climate.

Even in the face of these challenges, we remain confident that we are well-positioned as a company to emerge from this crisis even stronger."

Thanks to our sponsor Sophos, this week's edition of the Risky Business podcast is ready to download!

This week's feature interview is pretty kickass; a chat with security megalegend Mark Dowd. We talk to Mark about his entry in Google's Native Client security competition. It's very interesting stuff that could really have implications for your job in a few years.

Sean Richmond, who works for Sophos in Sydney, will be along in this week's sponsor interview to discuss the PDF format. We ask Sean why PDF readers like Acrobat Reader have been pretty bug prone lately.

Adam Boileau is this week's news guest.

Here's a list of the stories Adam and I discussed this week:

Feds' red tape left medical devices infected with computer virus, by Stephanie Condon

Twitter's network gets breached again, By Elinor Mills

MI6 Nixed Major Undercover Operation After Memory Stick Lost, by Kim Zetter

Microsoft Offers Secure Windows... But Only to the Government, by Kim Zetter

Epic Failure from McAfee (Also see McAfee Gets Worked. Hard.)

Over 8M Virginian patient records held to ransom, 30 Apr 2009, from Wikileaks.

Don't forget -- if you have any feedback on this week's show call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free). We'll play your feedback in next week's show.

It's been 24 hours since Risky.Biz published a news story about several vulnerabilities -- CSRF and XSS bugs -- found in McAfee's secure vulnerability scanning service.

The story has gone global, with outlets like News.com and The Register picking it up.

So we got Mike on the phone to discuss his research. As it turns out, McAfee is just the tip of the iceberg. Bailey says this is a much bigger issue affecting most PCI scanning vendors.

You can find our original news story here.

A Cross Site Request Forgery (CSRF) vulnerability uncovered in McAfee's "secure" vulnerability scanning portal would have allowed attacker to take control of client accounts. The portal is designed to scan customer websites for security vulnerabilities and fulfil some PCI DSS compliance requirements.

To fall victim to the attack the target would have to be logged in to their McAfee account and browse to a malicious website that exploited the CSRF bug.

Commenting on his CSRF discovery, security researcher Mike Bailey didn't pull punches. "Until last week, McAfee Secure was vulnerable to critical CSRF holes," he wrote on his blog. "Not little ones, or ones that were difficult to exploit. [These are] basic, zero-knowledge, classic GET-based total-account-compromise holes."

McAfee did not comply with PCI requirements for Approved Scanning Vendors as defined by the PCI Security Standards Council, Bailey claims, and believes the company failed to use a secure software development lifecycle when building the application.

Furthermore, a penetration test should have caught the problem, he wrote, thus he concludes "no such audit has taken place".

Another, seemingly unrelated Cross Site Scripting (CSS) bug in a McAfee website allows miscreants to create pages that appear to be hosted on McAfee domains, when in fact the content is being served from elsewhere. Worse, no SSL errors would be generated in this attack, so even a vigilant user would be fooled.

SecureScience.net has demonstrated the attack by creating a "buy now" page for McAfee products, which, if a user clicked through to that page, would steal their credit card number and deliver a trojaned version of McAfee's product. (Click here for the dummied up CSS'd page. It won't bite.)

It's feared spammers could exploit the bug to offer seemingly legitimate "special deal offers" on McAfee products, using the CSS bug to create a genuine-looking purchase page with a valid SSL cert. McAfee, presumably, is scrambling to fix this second issue.

Ironically, marketing material for McAfee's secure scanning portal claims the service detects CSS vulnerabilities.

Sydney-based security consultant Chris Gatford, who works for Pure Hacking, believes the disclosures highlight an all too common hypocrisy among security providers. "It's a sad fact that many security service providers do not practice what they preach," he says.

Others thought the revelations were nothing short of hilarious. One local PCI Qualified Security Assessor (QSA), who did not want to be named, described the news as hysterical. "If there was a vote for lolz of the year I would be voting for McAfee Secure," he says. "That's just stunning."

McAfee isn't the only security vendor to wear egg on its face this year. The website of antivirus software maker Kaspersky was defaced in February. The website of BitDefender, another AV vendor, was also defaced.

Risky.biz sought comment from McAfee, but due to time-zone differences it was unable to offer any response in time for deadline.

In June, Internet piracy as we know it turns 10.

It was June 1999 when Napster first hit the 'net, providing tech-savvy computer users with unfettered and free access to the largest catalogue of music ever assembled.

Napster was a brilliant piece of software. It allowed Internet users with Napster installed on their systems to "share" their digitised music collections with all and sundry. That meant limitless, free access to digitised recordings normally sold on CD.

Not surprisingly, music industry executives hit the roof. They dispatched the litigation drones and the service was effectively shutdown in July, 2001 after a fierce court battle in California.

Despite the fact the service was found to be illegal and shut down, Napster had already ushered in a cultural shift among those who'd used it. Consumers found the facility to download any song, virtually instantly and for free, addictive.

A few months after Napster bit the dust Apple released the iPod music player and digital music well and truly hit the mainstream. A host of Napster equivalents popped up all over the world to satiate consumers' newfound appetite for massive personal music catalogues.

There was eMule, eDonkey, Kazaa, Limewire, BitTorrent and so on. BitTorrent survived as the strongest standard -- it's technically robust and relies on websites, not a built in feature, to list catalogues of files for "sharing". That means it's hard for the copyright lobby to sue the makers of the software. It's the operators of the index website the copyright cops have in their sights.

The Pirate Bay is one such BitTorrent index, and it lists more than just music. (Note the use of present tense. Despite the conviction of The Pirate Bay Four, the site is still running in another jurisdiction.)

These days piracy is a problem for the movie and television industries as well as the music business. The proliferation of broadband services makes downloading video through peer-to-peer software easy, and piracy is rife.

There have been various approaches to combating illegal file sharing and some have been absurd. For years the recording industry in the USA engaged in a systematic campaign of litigation against individuals suspected of piracy. In one famous case a 12-year-old girl living in public housing in the USA was forced to settle a Recording Industry of America Association (RIAA) law-suit.

A side-effect of this aggressive war on technology was the creation of a counterculture that believed piracy was actually ethical. As much as it scared the willies out of many would-be file sharers, the recording industry's thuggish behaviour made stealing from it feel just.

Today, however, it's harder to see how music piracy can be considered ethical in any sense. It's possible to buy music online through services such as Apple's iTunes Music Store and NineMSN. In addition, many artists choose to release their music on to the Internet as free downloads. They happily bypass the music industry and encourage people to share their tunes.

The music is out there, and there are legitimate ways of getting to it.

This is where it gets interesting. Many Internet users who'd download massive amounts of pirated content would justify their behaviour by insisting they would pay for the content if it were available to them online. Well, now it is.

Many movies are also available online as paid downloads and some TV shows are now made available online for no charge at all. It's all going online.

Tivo has just launched a pay-per-download movie service for its customers through home entertainment chain Blockbuster.

TV networks are also getting in on the action. The Nine Network, for example, has made the current series of Underbelly available for download from its website. It uses a special video format that allows Nine to insert demographically targeted ads into the videos and disable the recordings on the user's machine when the series ends. That way DVD sales are preserved, the content is ad supported and consumers are happy.

This is the future. Television shows, movies and music will all be primarily distributed online. Some will be ad-supported, some will be pay-per download. Once this marketplace has been established, the argument against piracy starts to look like a slam-dunk. High-profile websites like The Pirate Bay will be shut down to preserve the new market, and so they should.

That doesn't mean piracy will completely disappear. It's a part of the rich tapestry of modern life and content producers need to accept it as such, just as it did when video and cassette recorders came along. (Tape-to-tape devices and mix tapes were supposed to be the end of the world back then, remember?)

Small online communities supporting the sharing (or piracy) of niche content (like, old cop shows, for example) will survive -- copyright holders are unlikely to pursue these operators aggressively. But The Pirate Bay was a flagrant smorgasbord of pirated content. Its operators even used to publicly ridicule copyright lawyers seeking to have specific content removed.

They earned the charges against them. Whether or not the state-funded investigation and prosecution in criminal courts was a good use of Swedish taxpayer money is a matter for debate.

The fact is lawsuits like the one against The Pirate Bay are just growing pains. They're a result of the friction between Gen Y types who want it all now and the copyright lobby's embarrassing attempts to litigate its way out of having to alter its business model. But we're getting there.

High profile piracy is on the way out, online video stores are on the way in.

But if you happen to have series three of Deadwood in a digital format, give me your address. I'll pop over with my portable hard drive for a cup of tea.

I doubt we'll get sued.

Patrick Gray is an Australian technology journalist and publisher specialising in IT security. In 2004, he covered the music industry's federal court lawsuit against Kazaa for Wired News. These days he is the host of the Risky Business IT security podcast.

This week's edition of Risky Business is brought to you by Tenable Network Security and hosted by Vigabyte virtual hosting at discounted rates.

We've got a great show this week. Australia's welfare agency, Centrelink, has written its own smart card authentication protocol and it's released it to the public. It's called PLAID and the plan is to have it recognised an ISO standard. It's an extremely ambitious project and Centrelink's smart card architect Glenn Mitchell will be along to talk about it.

We also chat to Tenable Network Security's Marcus Ranum in this week's sponsor interview. We spoke about the recent hysteria around Chinese hackers apparently downloading the plans for America's Join Strike Fighter.

Freelance security dude Adam "Metlstorm" Boileau is this week's news guest.

We'd like to hear your thoughts on PLAID, too. Do you think it's a waste of time and taxpayer money or a masterstroke? Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)... or go to the risky.biz forums.

Australia's welfare agency released the the draft implementation of PLAID last month. It created the new protocol because off-the-shelf solutions didn't match Centrelink's "business needs," Mitchell says.

He now hopes crypto-geeks all over the world will rip into the software, now in its second draft. "We need to make sure it's as secure as we believe it to be," he told the Risky Business podcast. "There may be issues... if anyone does any issues with it then we're more than happy to take feedback on board and see what we can do to review it."

Off the shelf solutions allow contactless smartcards to be identified via passive sniffing, Mitchell says. Even a PKI-based solution will allow an observer to intercept some static information that could be used to identify specific cards.

"[PLAID is] designed for privacy and security," Mitchell says. "For what we're issuing here at Centrelink there's a lot of traffic transmitted from the reader to the card and the card responds through the airwaves. That traffic... possibly if it had static information or determinable information, could identify the card holder."

With PLAID, he says, there's "no way to identify the card involved in the transaction".

While Mitchell recognises "rolling your own" cryptographic systems is risky, he says the use of well established, peer-reviewed cryptographic algorithms within the PLAID protocol will insulate Centrelink from the worst kind of mistakes.

"I completely agree. Rolling your own crypto is definitely not the done thing. History has shown us [it's] always a bad idea," he says. "[But] PLAID isn't a cryptographic algorithm, it's a protocol... it uses two algorithms, the first being the RSA cipher, the second being Rine-Dale."

The agency will roll out an off-the-shelf PKI-based smartcard system before upgrading the cards to use the PLAID protocol when, or if, it becomes ready.

While Mitchell hopes vendors will adopt the new protocol, he says most have shown reluctance to embrace a protocol that isn't recognised as a standard. "Once it is standardised... then we expect to see a little more enthusiasm," he says.

The plan is to have the protocol recognised as an Australian standard and eventually an ISO standard.

Click here to listen to the full interview with Glenn Mitchell in the Risky Business podcast.

It's just another way to get full privileges once you have physical access, but it looks nice and simple and even supports Windows 7 for Chrissakes!

It's free and you can get it here.

This week's show is brought to you by Check Point Software.

This week's show is a bit of a mixed bag. We chatted with 451 group analyst Paul Roberts live from the floor at the RSA conference in San Francisco. Then for something completely different we quizzed Adam Pointon about his adventures with X10 home automation equipment.

Check Point Australia's Steve MacDonald is this week's sponsor guest, and Adam Boileau was this week's news guest.

To answer this week's call-in question, tell us what your experience with DLP software's been over the last year. Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

Handing down a year in the big house is a strong deterrent against those who may consider doing this type of thing in the future, but is it really the best judicial outcome?

The Swedish cops raided The Pirate Bay a couple of years ago and seized servers, but even this action didn't shut the site down. The investigation was well handled, but surely police resources should be dedicated to more serious crimes.

While intellectual property theft is bad, it is more of a civil tort rather than a wrong against the state. The International Federation of the Phonographic Industry (or IFPI, which has ex-cops working for it) and its regional subsidiaries are very active in pursuing those involved in deliberate infringement of copyright on a commercial scale, and they are effective in doing so.

They conduct their own investigations and have chalked up some impressive wins. And there are lots of good reasons for taking civil action as opposed to criminal prosecution. Civil cases are easier to prove; balance of probabilities v beyond reasonable doubt. They are more in control in a civil trial -- as opposed to the vagaries of the criminal system; and they can gain a better outcome -- a negotiated settlement v drawn out trial.

But this time the assault against piracy went down the criminal route. So in addition to the law enforcement resources required to handle the investigation, significant criminal court resources were tied up in the subsequent trial, and it's not over yet. Even though a decision has been reached, appeals and cross-appeals will play out for years to come.

And what about the sanction? In Australia and many other jurisdictions gaol time is reserved for very serious offences and violent criminals. More people in custody does not equal lower crime rates or lower recidivism rates. Prison should only be used as a means of last resort and there are alternatives to incarceration.

Not only are they cheaper for the taxpayer, but non-custodial sentences for copyright infringement better suit the characteristics of the offenders and their crimes. Better options include home detention (without internet access of course), community service orders and fines.

It's worth noting that despite the massive effort involved in this investigation and trial The Pirate Bay site has been moved abroad and is still active.

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.