Podcasts

On this week's show we're taking a look at Flash applications. With tonnes of thick client apps being replaced with apps built on Flash, we thought we'd have a chat to Azimuth Security's Alex Kouzemtchenko about what some of the pitfalls in developing Flash apps are.

This week's edition of the show is brought to you by Symantec, and we're stoked to have that company's CTO, Marc Bregman, on the show for this week's sponsor interview. He's an interesting guy and he's got a lot to say, not surprisingly, about where we're all headed as an industry in light of the McAfee Intel deal.

Adam Boileau, as usual, drops in to discuss the week's news.

On this week's show we're chatting with F-Secure's Jarno Niemela about some of the issues with Authenticode. He'll tell us about one fascinating case where a piece of malware actually carried a valid signature from a real company... stolen keys, right? As it turned out, that company didn't make software and had no idea what an Authenticode cert actually was. Jarno got to the bottom of that little mystery and tells us all about it after the news with Adam Boileau.

In this week's sponsor interview we're chatting with Tenable Network Security's CSO Marcus Ranum about a new project being run by DARPA, the US Defence Advanced Research Projects Agency.

The project is called CINDER and it's all about detecting rogue insider behaviour. It has potential to be a VERY interesting project, and Marcus shares his thoughts on it.

Here's a link to Jarno's CARO conference slides [pdf].

In this week's show we take a look at all the big news events over the last week. A newly rediscovered DLL hijacking technique has made some waves over the last seven days, as has the arrest in India of an e-voting machine security researcher.

Adam Boileau joins the program to discuss those items and others in this week's news segment.

In this week's feature interview we take a detailed look at Intel's decision to acquire security software maker McAfee for USD$7.68 billion. What is the reaction among analysts and the wider market?

Neohapsis CTO Greg Shipley and Gartner's Rob McMillan join the program to discuss.

This week's sponsor interview is with Ed Curtis from Research in Motion. He pops in to talk about different approaches to the mobile security problem. Should we even bother with IDSing mobile environments? Curtis says yes!

This week's guest is Felix "FX" Lindner. A well known researcher, FX has spent more than his fair share of time crawling around the innards of Blackberry devices.

He joins us this week to discuss the hubbub about lawful interception and Blackberry devices -- how resistant to wiretapping are they? What's the OS security like? What's the encryption scheme like?

As it turns out, the Blackberry holds up pretty well on most fronts, but FX fears law enforcement and intelligence agencies may start exploiting the baseband chipsets on mobile devices in order to intercept the data they carry.

It's a cracker interview.

We stick with the mobile theme in this week's sponsor interview, asking Symantec's Vincent Weafer why that company is focussing its development efforts on the Android platform. What makes Symantec so confident that Android will become the platform of attackers' choice?

Lateral Security's Adam Boileau pops in to discuss the week's news, including the "holy crap" news that McAfee is to be acquired by Intel for a figure appraoching USD$8b. WTC?!

Here's the Blackberry whitepaper mentioned in the show.

Last Tuesday was an unremarkable day. I awoke to the usual E-Mails IRC chatter and RSS reading, the most noteworthy of which was a small cluster of ZDI advisories addressing issues in WebKit.

Then I spotted the following, unremarkable tweet from @davidfarrier:

"some chap in china just hacked my gmail. and just to tell people about iphone 4s. as if people didn't know already. silly bugger."

Quickly followed by this:

"seems like lots of us twits have had our gmails/hotmails hacked this week. are you on the "hack" list? i certainly was."

The tweets in themselves were unremarkable. What was interesting was the amount of chatter surrounding the keywords "Gmail" and "Hacked". Everyone I spoke to throughout the morning knew someone who had been compromised or had been sent badly constructed spam from someone's legitimate Gmail account.

An initial look around suggested that thousands if not tens-of-thousands of accounts have been hit.

So what was going on?

Well, simply put, every "hacked" Gmail account was logged into using valid credentials that appeared to have been previously stolen. Once the attackers compromised the accounts, they drafted emails to the victims' contacts with an email along these lines:

Dear friends:

Last week ,I have Order china Samsung UN55B8000 55-Inch

this w e bsite:dhsellso.com

I have received the product!

It's amazing! The item is original, brand new and has high quality, but it's much cheaper. I'm pleased to share this good news with you! I believe you will find 7what you want there and have an good experience on shopping from them.

Regards!

Presumably this was the work of a script with previously compromised account details purchased from a botnet or phishing operator. There's nothing remarkable about it at all.

In each sample that I have looked at, the source IP address of the Gmail session was the unremarkable China located 115.49.90.219 and the text was identical (with exception to the product being pimped).

One possible theory that has been raised by several people I have talked to (and this is, just a theory), is that the BGP "misroute" earlier in the year captured a bunch of logins (HTTP, POP3, IMAP) to Gmail services and they have been harvested as apart of this attack.

Personally, I find it hard to link the two together. The reason why I find it difficult to believe is because I think that an operation capable of dragging in 37,000 networks (and managing to successfully sniff the bridged the traffic), would not blindly sell the acquired data to some crappy low-level scam operation.

That sort of capability would surely attract higher bidders.

So let's continue to work with the unremarkable theory of buying some stolen Gmail credentials from a basic botnet operation to log in and send spam.

So what was the deal with the spam? The target site was dhsellso.com which in itself is also unremarkable in many ways. It doesn't appear to host malware or phish people for details. It is reasonably well constructed and appears patched against known flaws. It is, by all accounts, just a good ol' fashioned "too good to be true and there for is fraud" site.

Funnily enough, the person(s) behind dhsellso have struck before and have registered at least two other sites at the same time as dhsellso.com presumably for nefarious purposes (dbyers.com and dbyers1.com).

So what is remarkable about all this? How successful the operation has been.

This is for several reasons:

1) Harvested email lists traditionally sell by accuracy. 100,000 email addresses at 70% accuracy will always sell for more than 100,000 email addresses with 60% accuracy. In this case, by using the victims address book, you can be sure the accuracy of the target email addresses would have been high (maybe 90+%?).

2) Dhsellso.com succeeded in getting their message out beyond e-mails. Systems such as blogger.com and posterous allow users to configure "magic" or hidden email addresses that when emailed, generate blog posts. Naturally, many blogs around the world started showing posts with dhsellso.com email subject and body on Google almost straight away.

3) The "junk" rate of the generated emails within Gmail / Google Apps has been pretty "low". Presumably because emails originated from valid Gmail HTTP sessions & accounts.

4) Given the fact that all emails would have appeared from trusted people, I would imagine the click rate might have been pretty high

5) The fact that no one gives a shit. Pretty much everyone I spoke to who had been hacked simply shrugged, changed their password and moved on. Like getting your Gmail account owned happens every other day.

Seeing such remarkable results from such unremarkable campaigns is a tad depressing.

Now, back to my unremarkable day.

This week's show is a cracker -- we're joined by IOActive's Barnaby Jack.

He made some major waves at BlackHat this year by demonstrating his attacks on ATMs.

He joins the show to discuss his research and talk about why his talk -- which was originally scheduled for last year's BlackHat conference -- was cancelled last year.

Kaspersky Lab's Vitaly Kamlyuk is this week's sponsor guest. He joins us to discuss what AV companies can do to detect some of the more exotic malware out there such as Stuxnet.

Adam Boileau, as always, checks in with the week's news headlines.

On this week's show chat to H D Moore about his research into the security -- or lack thereof -- of the VxWorks embedded operating system.

H D did a presentation at the Security B-Sides event that ran concurrently with Black Hat in Las Vegas. As it turns out VxWorks is used in a lot of places and the people who put it together suck at maths.

People who suck at maths write bad hashing algos. Really.

We'll also have a chat with Ron Gula of Tenable Network Security in this week's sponsor interview, and of course, Adam Boileau stops by for a chat about the week's news headlines.

This week we take a look at Verizon Business Security Solutions' data breach investigation report. It declares APTs are nothing more than marketing hype! Polly Waffle!

Verizon's Bryan Sartin and Mark Goudie join us to discuss the report and that company's position on APT hype.

You can find the full report here.

Symantec's Francis deSouza stops by for this week's sponsor interview. In it we discuss the company's plans for its newest acquisitions -- Verisign and PGP corporation.

Adam Boileau also joins us, as usual, to discuss the week's news.

This week's show is a cracker, and it's brought to you by our brand spanking new sponsor Research In Motion, makers of the Blackberry.

In this week's show we're taking an in depth look at the Stuxnet malware and the hideous, unpatched .lnk bug still affecting Microsoft systems. Paul Ducklin joins us to chat about that.

Ed Curtis from Research in Motion will be along in this week's sponsor interview to have a chat about some of the mistakes people make when rolling out Blackberry Enterprise Server, stay tuned for that.

Adam Boileau, of course, stops by to discuss the week's news headlines!

The online customer database of a New Zealand-headquartered pizza store chain has been compromised.

Risky.Biz understands multiple intruders have compromised Hell Pizza's 400mb database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries.

The company operates 64 stores in New Zealand, three in England, nine in Australia and one in Ireland.

The database entries include the full names, addresses, phone numbers, e-mail addresses, passwords and order history for the company's customers. The information is "doing the rounds" across New Zealand.

Some who came into contact with the database contacted the company last year, posing as "concerned customers", but received no acknowledgement of the data breach. They fear the database may have already found its way into the wrong hands.

When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

While the database has become a valuable tool for security professionals in New Zealand, they believe the exposure of the data is exposing the company's customers to spam and other attacks.

It's possible that many users have recycled their passwords between their e-mail, PayPal, TradeMe, banking, eBay, Hell Pizza and other accounts. Even if just a few percent of the company's customers are recycling passwords, the database is worth obtaining, they say.

Downloading the Hell Pizza database, apparently, was very easy.

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".

Another penetration tester says the Hell Pizza database is an excellent example of "non critical" information that could still be used by attackers for great benefit.

The Chair of New Zealand's Internet Task Force, Paul McKitrick, told Risky.Biz that he had heard rumours of the database circulating around the security community as far back as last year.

"A database like this of New Zealand users' personal information provides miscreants with a valuable list of commonly used, New Zealand-centric passwords which could prove useful in brute forcing passwords," he said.

"If Hell Pizza were aware of this then they should have notified their customers. I do not know what actions Hell Pizza took, but I was a customer and I have never received any notification that my personal information has been compromised."

McKitrick, the former head of the New Zealand Government's Centre for Critical Infrastructure Protection, added organisations that collect and store the personal details of their customers, have a responsibility to notify their customers if they believe that there has been a breach of their personal information.

"This enables customers to do something about mitigating their own personal exposure, such as ensuring that the compromised password was changed everywhere it had been used, because people frequently reuse their passwords."

Hell Pizza reported the breach to police after Risky.Biz provided it with some database excerpts it could verify.