Podcasts

The Computer Network Vulnerability Assessment program was designed to "to help organisations that own or manage critical infrastructure test the security of their computer networks and systems".

To date, 32 CNVA projects have been approved with 30 projects proceeding.

Projects have been undertaken in the banking and finance, energy, food chain, health, transport and water sectors, a spokesperson from the Attorney General's department says.

The program will be suspended on July 1 "pending review".

Launched in 2004, the CNVA aimed to assist those maintaining critical infrastructure in identifying key weaknesses in their security. Yet to date, the Attorney General has doled out just $2.2 million through the scheme.

Still, the department insists the program may see a second rising.

"The CNVA program is likely to be re-activated in the future, however no decision has been made on timing," the spokesperson says.

One penetration tester interviewed by Risky.Biz wasn't surprised. He says the "refund" nature of the subsidy often made applying for the grants more trouble than they were worth. "It didn't align with organisations' typical procurement processes," he says.

The program identified critical infrastructure as "physical facilities, supply chains, information technologies and communication networks which if destroyed, degraded or rendered unavailable for an extended period would significantly impact on the social or economic well-being of the nation".

Our thanks to Drazen Drazic for bringing this story to our attention.

Despite mounting risks on an information superhighway jammed up with malware, 419 scams, phishing and credit card fraud, the number of 'net users is still growing rapidly.

All the way back in 1998, America's National Institute of Standards and Technology (NIST) categorised and analysed 237 computer attacks. The results of that analysis revealed such pearls as:

• 3 percent of the attacks enabled web sites to attack site visitors
• 4 percent of attacks scan the Internet for vulnerable hosts
• 5 percent of attacks are effective against routers and firewalls

These figures tell us that surfing the internet, even back in 1998, was not a risk free activity.

But today, the numbers are out of control.

Recently the Pentagon confirmed 360 million attempts to penetrate its networks throughout 2008.

Sure, a lot of that is probably malware background noise, but a million intrusion attempts a day is noteworthy, regardless of whether they're automated or not.

The CERT Coordination Centre at Carnegie Mellon says catalogued vulnerabilities have increased from 171 in 1995 to 7236 in 2007, and to me even that sounds like the tip of the iceberg.

It doesn't stop there. The Anti Phishing Working Group tells us the number of websites infecting PCs with password-stealing 'crimeware' reached an all time high of 31,173 in December 2008. This was an 827 percent increase from January 2008, and again, probably a conservative, tip-of-the-iceberg estimate.

Things have changed a bit since the first ever Australian phishing investigation. In April 2003 we were notified of the existence of a dodgy looking Commonwealth Bank website. It seemed pretty interesting at the time, but today authorities hardly clamour to get involved in phishing investigations. The crime is too common and too hard to investigate.

Along the way there have been numerous vendor, CERT, academic and government inspired surveys and reports, which all point to one thing
-- increased risk.

But what has all this doom and gloom resulted in? The OECD informs that from 2000 to 2007 there has been a 256 percent global increase in the use of the Internet, with take up now standing at 20 percent of the world's population (or 58 percent penetration for OECD member states).

Facebook (in operation since 2004) has 200 million active users with 100 million of these people logging in at least once a day.

The threats just aren't scaring away users.

So why do we need all these numbers?

Alas statistics are the only true way to analyse effectiveness and compare results. As a forecaster I would say (from summarising this collection of data) that threats will continue to increase, but so will the number of Internet users. It's somewhat counterintuitive, but there you go.

As a global economy and more importantly as a global industry we do need to record and analyse these statistics related to IT security. But the more interesting line of inquiry is what you do with such alarming numbers when the average internet user just doesn't seem to care about escalating risks?

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.

This week's episode is hosted by Vigabyte and brought to you by Check Point software.

This week you'll be hearing an interview with Roelof Temmingh, the creator of Maltego. Maltego is seriously cool software that you'll probably want to have a play with.

Roelof joins the podcast to talk about how you'd use his softeware to pwn a three letter agency.

In this week's sponsor interview Check Point Software's Steve McDonald joins us to discuss how vendors might create very specific kit for very specific problems. Think of SCADA firewalls and boxes designed to prevent voip toll fraud, stuff like that.

Are mega specific solutions a band aid approach and a terrible idea, or are they better than nothing?

As for this week's news, we all know him, we all love him and his beautiful, lusturous, soft, soft UNIX beard. Adam 'Metlstorm' Boileau joins the program, as usual, to chew the fat and discuss the last week's big headlines.

This speed debating panel from AusCERT's 2009 conference was loltastic. It takes about 15 minutes to really get going, but stick with it.

Risky Business regulars Peter Gutmann and Paul Ducklin participated in this panel, as did host Patrick Gray.

The debate was hosted by James O'Laughlin, who's probably best known in Australia as the host of the New inventors television program. He's a terrific moderator.

Anyway, I've chopped the whole thing down to about 50 minutes. Keep in mind this panel was held as the storms in Queensland peaked. The conference hall actually lost power when the panel was about to start.

Anyway, here it is, the Speed Debating panel from AusCERT's 2009 conference. Enjoy!

The following is a recording of David Rice's talk at AusCERT's 2009 conference. David is a sensational public speaker. Risky.Biz actually podcasted his keynote from the GovCERT conference in the Netherlands last year.

This talk is similar, but sufficiently different to warrant posting here.

David is best known as the author of Geekonomics: The Real Cost Of Insecure Software, and a consultant with Monterey Group. Enjoy!

Our coverage of AusCERT's 2009 conference is sponsored by Microsoft, and so we're doing these sponsored interviews about Microsoft stuff.

But that's ok, because it's all interesting!

In this interview with Microsoft's Secure Development Lifecycle big kahuna, Steve Lipner, we discuss the company's decision to release an SDL template for Visual Studio that allows third party developers to use Microsoft's SDL workflow.

It will hopefully mean fewer bugs in non-Microsoft Windows apps sometime in the future!

The following audio is an excerpt from Maltego creator Roelof Temmingh's AusCERT presentation.

Maltego is a very interesting bit of information visualisation software. If you haven't heard of it, check it out.

We've all heard the saying that we all leave digital footprints on the web. Well, in this part of his talk Roelof talks about creating false footprints, or false online identities.

It's seriously interesting stuff and not the sort of thing that you normally hear about at a security conference. We'll be posting an interview with Roelof at some point also.

In this recorded AusCERT presentation you'll hear Forward Discovery's Steve Whalen discussing forensic techniques for the iPhone. This is VERY niche stuff, mostly of interest to forensics guys and gals. That said, a lot of security people use iPhones so some may be interested to know what sort of techniques apply to a device they carry. Enjoy!

Hanmore joined AusCERT in 2005 following a five-year stint as the IT security manager of the Bank of Queensland. His new job at Microsoft, where he will be dubbed a senior security strategist, will see him pack his bags and move to Redmond.

"I will be heavily involved in relationships with various CERT teams globally, ensuring a smooth operational relationship between these teams and Microsoft," Hanmore told Risky.biz. "It's all about making sure that the end user and their support network have access to the information they need to remain secure online."

Hanmore described working at AusCERT as a highlight of his career.

AusCERT director Nick Tate says he will be missed. "It's clearly a great shame to be losing Karl," he says.

The resignation comes as a significant shake-up of the national CERT landscape looms.

The AusCERT organisation, which is technically a registered business name of the University of Queensland, will lose its title of national CERT. However, Tate says AusCERT will continue to provide services through the new, Attorney General-funded CERT program.

"We'll be providing some of the services for that," he says. "AusCERT is very much continuing... We're working on a service level agreement at the moment."

In this sponsored podcast from AusCERT's 2009 conference, Microsoft's Jeff Alexander discusses the features of Windows 7 that are likely to be of interest to security pros. DEP, BitLocker portable, AppLocker, UAC changes, the lot. Enjoy!