Podcasts

If you're an avid RB2 listener you would have already heard the ShakaCon presentation by Andrea Barisani and Daniele Bianco on non-conventional keystroke sniffing techniques.

Their presentation was on sniffing keystrokes through powerlines, or alternatively by using freakin' lasers attached to their frickin' heads to detect he sound of keystrokes and then work out what was being typed.

Well, RB2 correspondent Paul Craig was in Hawaii for ShakaCon and scored this interview with the pair, although it should be said that Andrea is the guy who speaks most here. Enjoy.

Security and network device vendor Juniper Networks forced Mr. Jack to cancel his presentation, an anticipated highlight of the Black Hat event, following pressure from the affected ATM vendor. The demonstration would have seen the researcher hack an ATM live on stage, causing it to spit out cash, or "jackpot".

"The affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected," a statement issued by Juniper Networks reads. "Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research."

Risky.Biz understands the ATM vendor had been given notification of the upcoming presentation, and Juniper Networks was initially happy for Mr. Jack to present his research findings publicly.

Security researcher and the maintainer of the Open Source Vulnerability Database, Brian Martin, told Risky.Biz the cancelation of security-themed presentations by researchers' employers is an all-too-common experience. "Why does it come down to the vendor changing their mind or waiting to pressure," he asks. "They knew about the research, knew about the talk."

The latest cancellation echoes a similar event in 2005, when a talk on vulnerabilities in Cisco equipment by Michael Lynn was pulled from the conference by the networking giant in cooperation with Lynn's employer, security software maker ISS, which is now a division of IBM.

In a dramatic twist, Lynn resigned and gave his talk anyway. Ironically, he was hired by Juniper Networks, where he still works to this day.

In 2008 a talk on flaws in Apple's FileVault encryption technology was also pulled following pressure from the computer maker.

A security researcher who did not wish to be named expressed his disappointment at the cancellation. "It is a shame that this work won't see the light of day, at least for now," he told Risky.Biz. "Barnaby has always done great work and it would be great to learn some of his innovative new approaches to attacking systems that we trust with all of our money... plus, it's just damn cool."

Want more exclusive security news? Sign up for our weekly newsletter here. Get your weekly dose of infosec news, opinion and podcasts!"

This week we're taking a look at the technology angle to this whole mess in Iran. We'll be chatting with Arbor Networks chief scientist Craig Labovitz about the filtering the government is doing over there, then we'll be checking in with Roelof Temmingh of Paterva.

Paterva makes Maltego, the open source intelligence tool that many people are using to analyse various aspects of information flow in Iran-- including the spread of propaganda via Twitterbots.

We'll also be hearing from Microsoft's Stuart Strathdee in this week's sponsor interview. He'll be joining us to discuss the company's free Morro antivirus package -- it's software that probably had more anti-trust lawyers involved in its development than actual developers.

Adam Boileau also joins us with the week's news.

Editor's note: We're aware that Roelof's name is mispelled in the headline, but if we change it, it'll break the current URL and cause drama. So we'll leave it for now. But yes, his last name is spelled Temmingh, not Temming. Apologies.

To my eyes Facebook just looked like a badly organized dating club, and the idea of having to fire regular musings out into cyberspace via a blogocannon has never appealed.

Figuring I was just too lazy to sign up for these services, my dear friend offered to register me anyway and just give me the passwords. Being a Google fanboy, he could sign me up as roelof.temmingh on Gmail and connect my newly created Facebook profile to that email account.

That got my attention.

I registered the email myself, quick smart, then some time later I registered my name at Facebook, with no profile information. It was a way to cyber-squat my own online identity.

It seems like a good idea until a colleague pointed out that someone could create a profile in my name that looked more real than my blank profile. Then people would ignore my real Facebook entry and speak to "fake Roelof".

So much for the squatting plans.

So I did what I dreaded doing for a very long time and began populating my details and sending out 'friend requests'. It had the same feeling you get when joining a party where everyone is drunk, you've arrived late and don't know anyone. You know what I'm talking about.

Then the evil half of my brain got busy with hypothetical scenarios. What if I were to duplicate the process for the board members of a large company? I could even set them up with fake LinkedIn details. With a little investigation into their professional and personal life I could pull an Agent Smith and just become them! I could control who their virtual identity speaks to, who their friends are and perhaps later even start issuing press releases from their 'private' accounts. How long will it take before they realise their identities have been stolen?

I once asked the audience during a conference presentation "what's better -- to have a comprehensive profile on the Internet (e.g. be registered on social networks, have your email address known out there etc), or to have nothing about you known at all?"

Since my talk was about open source intelligence most people assumed nothing about you should be known to anyone. But I am not convinced. If nothing about you is known on the Internet it means you give attackers a clean page to work with -- they can cook up anything about you -- and there is nothing to refute their claims.

When phishers still thought that people needed to be convinced of the authenticity of websites, before they realised that people will click on any link, they would register a domain like abc-bank.com when the legitimate domain was something similar, like abcbanking.com. One solution for the banks was to proactively register all possible combinations of their trade name in a domain name.

The registrars sure smiled. It was a bit of a losing battle and the cost of maintaining and renewing all these useless domains was high. I fear that the same scenario is playing itself out in the individual online identity space at the moment.

The real problem we are facing is that we don't a real concept of identity on the Internet. With websites and infrastructure we at least have SSL, which is admittedly mostly useless. Sure, we have class 1 certificates for people, but those just verify a person's email address.

In the past when someone presented you with a hotmail address you would have treated it with a fair amount of suspicion. But those days are gone. Everyone has a Gmail account and it's perfectly normal to send 'official looking' email using these accounts. Hell -- the guys that should be securing our government networks have a public webmail address on the 'contact us' section.

The root of this problem is always the end user. Technically we can solve this problem pretty easily. We'd start an organisation to verify identities of people the same way that Certificate Authorities verifies the identity of a corporation.

We ask for blood samples, retina scans, passports, photos, finger and voice prints. After all that we give them a nice digital certificate that they can use on any online service. Try forging someone's DNA, buddy!

But how many people will use the service? Here is web site A asking for an email address and there is B asking for a certificate verified by blood sample. I think I'd go with option A.

This isn't a technology problem. It's a PICNIC problem -- problem in chair, not in computer. Any website that can convince someone that it would benefit them if they give the site their details will win, and that means online identity will stay fuzzy for the foreseeable future.

Want more exclusive security news, commentary and podcasts? Sign up for our newsletter to receive summaries and links to all Risky.Biz content once a week.

This podcast entirely consists of a sponsored interview with Symantec's director of Security Response, Vincent Weafer.

We're absolutely stoked to have Symantec on board -- with them sponsoring we now have the means to expand what we can offer you on Risky.Biz.

Thanks to this relationship you'll be hearing regular podcasts from our new RB2 reporter, Paul Craig.

These sponsored podcasts are a way for Symantec to get out there and talk about topics it knows well. Let's face it, they've been in anti-malware since the woolly mammoths was a common form of transport and following its acquisition of MessageLabs, Symantec is a big player in Anti-Spam as well.

So I got Vincent on the line and we talked about everything from Gumblar to the latest trends in spam, to the US Federal Trade Commission's role in shutting down rogue service provider 3FN. Enjoy!

In this episode of RB2 you'll hear a keynote from the Shaka Con security conference in Hawaii. BT security consultant Luck McComie discusses various methods of getting around corporate defences, both physical and digital. The talk is about corporate espionage, and it's well presented.

Luke is a senior staff member (goon) at the DEFCON Security Conference and also contributes to several computer security organizations including the r00tcellar Security Team, 303 and Security Tribe.

In this interview Risky.Biz reporter Paul Craig talks to BT security consultant Luke McComie about corporate espionage. Luke presented a keynote on the topic at the Shaka Con conference in Hawaii.

Throughout that presentation we heard how corporations don't adequately secure their physical environments, and this can lead to some pretty nasty consequences as far as information leakage goes. We heard Luke tell some war stories about slipping past security guards in that one.

So we heard about the victories, but in this interview Paul asks Luke to explain some of his more epic failures while doing the same.

This week's show is a cracker -- we have a very special guest, Senator Stephen Conroy.

The senator is Australia's Minister for Broadband, Communications and the Digital Economy and I caught up with him in Sydney last week to get his take on what he feels the role of government is when it comes to IT security.

We're also joined by Sydney-based security consultant Jason Edelstein who'll be chatting about telephone-related fraud. US authorities have just busted up a massive ring of phone fraudsters with links to Islamic fundamentalists, of all people. Over a period of years they hacked into more than 2500 systems and resold access via calling cards.

Apparently that netted them an estimated $55 million, which is certainly better than a kick in the proverbials.

We'll also check in with Stuart Strathdee from Microsoft. Stu's popping in to talk about 0day. There have been some really scary 0day bugs in Microsoft products lately, and Stuart pops by with his take on the situation.

He argues that office 0days are actually pretty far down on the ye olde risk register.

And of course we check of the week's news headlines with our good friend Adam 'Metlstorm' Boileau!

If you'd like to leave us some audio feedback, to be used in the Risky Business podcast, call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

Fraudsters are placing fake rental property listings for affordable apartments on the Domain site. Upon contacting the purported landlord, would-be renters are instructed to transfer money offshore in exchange for apartment keys that will never arrive.

The 'landlord' claims to have moved to Italy, but promises to send the keys along with the lease when a bond is received in escrow. If the would-be renter doesn't like the apartment after using the keys to inspect it, they are assured their money will be refunded. There are, of course, no keys.

Or apartment, for that matter.

"I have found a procedure that will allow us to make a fast and safe deal and through this way you will see [the apartment] and decide if you will stay in the apt or not before I receive my payment," one of the scam e-mails reads. "In this way you will receive the keys in less than two days, if you move fast as well."

The wire transfer the fraudsters instruct their marks to use, conducted through Western Union, is irreversible and final.

Since Risky.Biz first exposed the current incarnation of the rental scam in May we've received e-mails and phone calls from several victims.

Nadine was taken for $8,000 in two transfers. After she'd sent an initial amount, the fraudster's managed to coax thousands more out of her with the promise of a budget lease.

Mohammad, a foreign student based in Hobart, lost $2,000. "I don't know what to do," he told Risky.Biz Friday last week. "I'm alone and I don't have any money... I'm homeless."

Risky.Biz referred Mohammad to the Tasmanian Fraud Squad.

As recently as this morning we received a telephone call from a Domain.com.au user in Brisbane who was almost taken in by the scam. There have been several of these. Many of these users were only aware of the scam because they stumbled on Risky.Biz's coverage of the scam.

"I am currently looking for an apartment in Sydney and came across a deal which sounded too good to be true - and it was," wrote Sydney renter Paul Geddes. "My suspicions were confirmed by... coming across an article posted on your site on May 15th.... So thanks to and all involved for the alert."

Why is Risky.Biz and online fraud websites the only source of information on the scam? Why aren't users finding out about the fraud from Domain.com.au itself?

Through its outsourced spin team, Red Agency, Domain.com.au says it's introducing a series of warning pages designed to combat the fraud.

How can this be taking so long? Why is this not the company's top priority? Can it really take five weeks to introduce a splash screen? Why won't the company identify the manager responsible for combating this type of fraudulent activity and make them available for an interview? Is anyone in charge of combating fraud?

The team at Fairfax Digital should be forced to speak to the victims of this fraud. It's heartbreaking. Most have borrowed money to pay for the bond and advance rent on their exciting new apartment. Instead of a new lease, however, they're left in debt and homeless.

Even worse, they're left feeling foolish.

The appropriate response, in the view of Risky.Biz, would be to send a press release and make some noise. Warn users. Get as many spokespeople in front of as many media sources as possible. The media is the perfect conduit through which warnings like this can be distributed.

Some companies are mature enough in their approach to do raise the alarm bells themselves. As Australia's Commonwealth Bank was being hammered by a series of phishing scams targeting its users last month it introduced a splash screen shown to every user every time they logged in warning them of the scam.

Admittedly the bank has more skin in the game than Domain.com.au -- direct losses through phishing -- but it's the view of Risky.Biz that organisations should protect their customers' money as if it were their own.

There is no downside to that approach. Instead, Domain.com.au is circling the wagons and dragging its feet.

It's not good enough.

Want more exclusive security news? Sign up for our newsletter here. You'll receive a weekly dose of written news, podcast descriptions with links and even infosec jobs.

This week's episode is hosted by Vigabyte and brought to you by Tenable Network Security.

On this week's show we're looking back at an issue we covered a little while ago: PLAID. No, not the oh-so-groovy pattern, but Centrelink's home-baked authentication protocol.

PLAID is a contactless smart card authentication protocol designed by Australia's welfare agency and released a couple of months ago. They're hoping to have it recognised as an ISO standard, but not everyone's convinced that's a good idea.

We'll be hearing from the University of Auckland's Peter Gutmann. He's a bit of a rockstar in the smart card and crypto fields, and he's had a look at the supporting documentation released by Centrelink and isn't too impressed.

It might sound like an Australia-centric story, but it's not. This is a fascinating case-study-in-progress for anyone considering doing this sort of wheel reinvention project.

In this week's sponsor segment we chat to Marcus Ranum about the liability chain when data leaks.

Securus Global's Declan Ingram joined host Patrick Gray at the pub to discuss the week's news headlines. Sorry about the background noise!