Podcasts

Over the last few weeks you may have read reports of a computer virus named Conficker. It's sophisticated and has infected millions of systems.

What you might not know is you actually funded its development.

The virus writers of old were trying to bring the pigopolist system down, man, but today, it's all business. Viruses make money for their creators by stealing credit card data from infected systems.

This type of fraud is the backbone of the cyber-criminal economy, and because merchants are generally forced to cover the cost of card fraud[1], they've already factored losses into the price you pay for that six-pack of beer or that new plasma screen telly. You're funding this crap, and it's the banks' fault.

Let's dig a little deeper.

Estimates of the number of computers Conficker has infected range from three million to 15 million. In anyone's language, that's a lot of computers. But Conficker is what many in the computer security field would consider a "garden variety" virus. Aside from its admittedly impressive distribution, it is sophisticated but unremarkable.

So why all the media attention? Well, for starters it's due to "activate" on April 1, and there's nothing the media loves more than a good old-fashioned countdown. Consider it a mini-Y2k to feed the news cycle. And like Y2k, there'll be some fairly disappointed commentators and doomsayers when, on April 1, Conficker quietly upgrades itself on the computers it has infected and starts doing the rather mundane bidding of its masters.

No mushroom clouds. No power blackouts. No blood running through the streets.

The Conficker network -- all of the infected systems can be controlled by the creators of the virus -- will just do what similar nasties have done in the past and start sending spam and viruses to other computers, stealing the credit card numbers of the owners of infected systems via keystroke logging software, and attempting to overload the websites of grey-market Websites.

Those with most to fear from Conficker -- in the short term at least -- are online casinos and pornography sites. The network of Conficker-infected computers will be able to overload selected websites with bogus requests until the target falls over.

It's called a Denial of Service (DoS) attack and through blackmail, it pays. Want your Web site to work again? Give us $10,000 and we'll stop. For now, there are enough payers out there to make DoS attacks worth doing.

But the big money is in credit cards. In fact, if credit cards didn't exist, the size of the cyber "underground" -- the unholy alliance of computer criminals and more traditional fraudsters -- would be considerably smaller.

It works like this. Every time you make a purchase online, there's no way for the merchant to know if you are actually holding the card in your hand. They need the card number (16 digits), expiry date (4 digits), the name on the card and sometimes the three-digit "security" (ha!) code from the back.

So all anyone needs to make a credit card purchase from your Visa or Mastercard account is 23 digits and a name. Modern viruses like Conficker intercept this information from your computer as you type it into your keyboard. And we wonder why the bad guys are raking it in. Alternatively, skilled attackers may break into the systems of merchants or credit card processors and steal large databases containing your credit card data. This, in a nutshell, is how online credit card fraud works.

Card-not-present fraud in Australia has increased by 50 percent over the last 12 months, according to the Reserve Bank of Australia. You'd think this would have the banks scrambling to remedy the situation, but as the liability for most fraud rests with merchants, they have little motivation to invest in solutions.

In fact, a secure online transaction project named MAMBO, being developed by bank-owned payment services company BPay, has been postponed because (it's rumoured) there wasn't a strong enough business case for it to continue. If banks were forced to own the liability for card fraud, that business case would change instantly.

For their part, consumers are protected from fraud on their cards by the card issuers, so they don't have a reason to kick up much of a stink. So the merchants carry the can for the bulk of the fraud and, of course, they factor fraud losses into their prices.

You are funding criminal activity while the banks stall projects that could combat it.

Think of the "fraud premium" on prices (or the infamous "credit card surcharge") as a tax the merchants apply to everything you buy. That "tax" exists to recoup the money destined for large criminal syndicates, which use it to invest in better computer virus technology.[1]

This is what economists would call a market failure.

Over the last several years there have been token efforts to improve the card fraud situation. The Payment Card Industry Data Security Standard, or PCI DSS, forces merchants to make some effort in securing credit card data as it passes through their systems. It's expensive to implement and it's clearly not working. Merchants' systems are still being breached left, right and centre.

PCI DSS is a band-aid on a bullet wound, and governments are starting to notice. The United States House of Representatives Committee on Homeland Security has just held a hearing (today) into the effectiveness of PCI DSS. The Department of Homeland Security is concerned the proceeds of data breaches and credit card fraud are funding terrorist activity.

It's not such a paranoid notion. Last year an influential Egypt-based cleric is believed to have issued a fatwa encouraging young Muslims to engage in cyber and credit card fraud to fund anti-Western activities. (No one has actually found evidence of the fatwa, but on the Internet perception is reality, and the unconfirmed edict is held as truth.) Herein lies another reason to fix the broken credit card model.

So what can we do? Well, we need to make card not present fraud impractical to carry out. We can make a good start by introducing more robust forms of authentication to card not present transactions. SMS or voice biometric authentication would be a good start. Banks in Europe are experiencing some success with portable chip and pin readers.

Alternatively we could move to a completely different transaction model in which your sensitive information is never handed to the merchant, such as in a direct deposit via your online banking. It's a much more sensible way of doing things.

The fact is we are moving toward a more secure online environment, but the progress to date has been glacial. Let's hope that in a few years advancements in transaction security will rob criminals' motivation to create computer viruses like Conficker. Until then, we've just got to ride it out.

[1] Some credit card companies offer schemes that allow merchants to shift liability back on to the card issuer, but they also come at a cost, as does chargeback insurance.

Patrick Gray is the host of the Risky Business security podcast and the managing editor of Risky.Biz, an information security news outlet.

Today on Risky Business 2 we speak with Lane Bess, the CEO of Palo Alto Networks. Founded by firewall pioneer Nir Zuk, Palo Alto makes what it calls a next generation firewall.

We don't normally talk to suits like Lane on Risky Business, but hey, that's what this second podcast feed is all about. We thought it would be interesting to get his take on movements in the security market given everything that's happening in world markets.

This week's episode is sponsored by Microsoft and hosted, as always, by Vigabyte virtual hosting.

We're shifting focus a little bit in this week's feature and taking a look at DECT hacking. DECT is the Digital Enhanced Cordless Telecommunications standard, and as you'll hear, it's not always implemented correctly. That can be a lot of fun for the evil guys out there.

Blair Strang will be joining us to talk about that.

Also on this week's show we'll catch up with the host of the PaulDotCom security podcast, Paul Asadoorian. He's popping by to do this week's news segment, and boy, what a week for news it's been.

Microsoft's Internet Explorer product manager, James Pratt, pops by to discuss the new security-related features in the browser in this week's sponsor interview.

If you'd like to comment on anything you've heard on Risky Business, or suggest something you'd like to hear on the show, you can call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

Normally at these sorts of events protocol dictates that I have a sales department chaperone present at all times to make sure I use the correct fork for the shrimp cocktail, etc, and this was no exception.

My technical colleague and I riffed away, deftly interspersing witty-yet-topical infosec anecdotes with sales patter and doomsaying while we charmed the gathered CIOs with our analysis of the threat insiders posed to their organisations.

Now, you and I know that any sort of insider access is game-fuckin-over, but for the purposes of making the presentation more sales-friendly than a singe powerpoint slide saying, "you're all fucked, plz give us some money while you're still in business," we humoured them.

As I drew to a close, I looked around the audience, fruit platters on the table, a few shunned greasy pastries (they did have bacon, at least) and stewed coffee. I went for my concluding slide -- the last bit of useful information to be shared with the room before the sales drones would activate and attack.

When my sales-chaperone guy saw it he started twitching up the back -- it was off topic and he knows how I roll.

"People sometimes ask me 'Adam, if you were in a room with two dozen CIOs and you could tell them one thing, what would it be?'," I began.

They don't, by the way, but hey -- I get to use any sort of shabby segue I like when I'm clucking on my particular nest. So here's what I'd say.

"Security is hard. It's hard to buy and it's even harder to know if you've bought it. But you have to care, so you hire experts in this arcane field, just as you would any other technical niche. And if the expert says 'your stuff is broken,' then you know where you are. But if they say 'your stuff is great,' then you've got a problem. \t

"Is it really great, or are they awful? Did your expert have a bad day? Is he covering for the fact they just lost half their tech team to a competitor? Did they give you a junior guy, or a box ticker, or even worse, are they out to sell you kit? You don't know, because quality is opaque to someone who isn't an expert here.

"If you take one thing away from today, its that this stuff is hard, and the quality of my work is opaque to you. The only rational choice is not to trust me. So don't hire us. Hire Deloitte, or IBM or whoever you want. But next quarter, pick someone different. Rotate your audit providers. Use one now, another for the audit next quarter, maybe even two different parallel providers on a critical project. Pit us against each other and make us compete. Then at least you have relative quality metrics, which is more than you have at the moment."

Its true, you know -- I'd much rather be going into a pen test or an audit knowing that some high-priced big-5er has already been through with Nessus and Impact, picking off all the dumb shit that just wastes everyone's time to write up. There's no joy in savaging the poor fish in their nesting barrels. (Of course this assumes that the big-5er actually did spot all the low-hangers, which is, uhhh, Not My Experience.)

Yes, your domain controller is still vulnerable to MS06_040. No, you've never patched, your passwords are crap and you have 100,000 clear-text credit cards in /tmp on your RHEL3 box. I'd much rather write up a report about some point of entry that forced me to write a python script to exploit it -- at least then I get to use the Courier font non-ironically.

That's actually the best bit of advice I could ever give a CIO. Please, for the love of God, don't just pick one security supplier. Don't let them cut and paste you the same report every quarter. Get someone else in. Compare the reports, the findings, the quality of the write-ups and mitigation advice and ./sploit.py scripts attached.

Please. Please? I mean, we worked real hard writing them up for you. I know you've only got a 40-minute project meeting, and best to just glance at the summary-table and cross out everything rated less than 'ohmigod'. But please. Get someone else. Don't make me write the same report twice. Let me write a report that I know is going to make some big-5 infosec team look like the boxtickers they are. Please. Let me at them. You know I'm going to find their report on your \\\\fileserver anyway after I MS06_040 your win2k domain controller and have to resist the urge to open it up for the epic lulz that will be within.

Do it for the good of your shareholders. You owe it to them to get a second opinion on something as important as your security. Currently you may not know who is doing the quality work, but it wont take you long to find out -- all you have to do is shop around. You can't tell if you're getting quality, so make us all work to show you.

Hell, maybe we should give discounts to customers who provide us with their previous provider's reports after we've written ours. The lulz would be so worth it. I'll suggest it to salesguy. Well, I would if he wasn't too busy talking scoping with the douche bag who called me a wiseass.

Metlstorm is a New Zealand-based freelance security consultant. He's created several tools including Hai2IVR, Winlockpwn and SSH_Jack. He's also an organiser of the annual Kiwicon security conference in Wellington, New Zealand.

Announced with little fanfare last week by iptables developer Patrick McHardy, the launch of the nftables alpha has barely been mentioned by the press.

That's somewhat surprising, considering the new software will represent the biggest change to Linux firewalling since the introduction of iptables in 2001.

Gordon 'Fyodor' Lyon, the creator of the nmap security scanning tool, says he's excited by the alpha release.

"I'm... looking forward to its general release in the mainstream Linux kernel," he told Risky.Biz. "The previous transitions from ipfwadm to ipchains and then to netfilter (iptables) each brought a new, more powerful firewall interfaces to the user. I expect nftables to do the same."

Administrators who learn the nftables syntax will find it much more expressive and easier to read, Lyon added.

Melbourne-based CSO Adam Pointon says he's surprised the announcement hasn't made more of a splash.

"It's the next generation Linux firewall," he says. "It's a significant milestone and people should pay attention to it."

However, it's not great news for everyone. Iptables and netfilter will be phased out as nftables becomes the norm, Pointon says, which could create some extra work for security appliance manufacturers.

"Iptables is used heavily by lots of UTM products, like routers, DSL modems and the like," he says. "Support will end for that code and everyone will move to nftables. So all the Linux boxes out there using it... will eventually have to re-write all their stuff or wind up using old, unsupported code."

The new firewall has native IPv6 support and userland queuing. "Snort and anything at that layer will be better integrated," Pointon says, adding that nftables will be faster, process rules more efficiently and allow administrators more control at the userland level.

The code base is also significantly smaller. "That can only be a good thing for its security," Pointon says. "It will take Linux firewalling to the next level."

While the alpha release is available now, nftables will go through an extensive beta testing phase before finding itself included in the Linux Kernel.

The group claims the botnet has been targeting DroneBL's servers in a denial-of-service campaign for several weeks and is the first of its kind. It uses brute-force password cracking attempts to hijack any Linux mipsel routing device that uses insecure or common username and password pairs.

"This is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems," the DroneBL team wrote in a post on their Website. "Action must be taken immediately to stop this worm before it grows much larger."

DroneBL claims many devices are vulnerable to the botnet, which is spreading automatically using compromised hosts to propagate. The size of the botnet, dubbed "psyb0t," is currently unknown.

It's been easy to see why, historically, most Mac users haven't felt the same level of security-related anxiety as Windows users. Until now, no one has really bothered targeting them.

When commentators like this one dared suggest, in 2003, that Apple's OS X software was susceptible to the same sorts of vulnerablities that have plagued other operating systems, the reader reaction was so severe it was worrying.

Indeed, one of the comments posted on the piece by a particularly passionate reader suggested ZDNet's Sydney bureau would make an excellent destination for a truck laden with explosives.

Keep in mind that in 2003 there were few vulnerabilities being disclosed in OS X, leading most consumers to genuinely regard it as more secure. But from there, a trickle of bugs began to be disclosed. By 2008, OS X was giving Windows a real run for its money in terms of the number of bugs being disclosed and patched. The myth of OS X as a "secure" operating systems was destroyed among the more savvy types in the IT industry, and Apple dropped its rhetoric about its operating system's amazing invulnerability to malware.

Yet in the years since the malware never showed up. Sure, anyone with half a clue could trigger a client-side exploit in OS X, but what then? The science of writing Trojans for Windows-based operating systems is mature; staff at CERT teams and AV companies have actually found comments and evidence of revision control in modern PC malware.

Mac malware has been primitive in the extreme by comparison -- the bad guys just haven't built up their OS X chops yet.

Last year, news of simple script-based Mac malware doing the rounds surfaced. The badware would simply alter the user's DNS settings, so it was pretty simple stuff. Some may argue that's actually pretty serious -- if an attacker can control their target's DNS, a man-in-the-middle hack is trivial, thanks to browser insecurity (Hi, Safari!). Still, this early Mac malware was hardly what you'd call sophisticated.

But now we're seeing some much, much nastier stuff. Risky.Biz forwarded a recently obtained Apple malware sample to two parties -- Paul Ducklin at Sophos (disclaimer: Sophos is a sponsor) and a contact who'd prefer not to be named.

Paul had seen that sample before, and Sophos's products detected its payload. But it was what the other had to say that I found particularly interesting.

His analysis indicated the sample -- which pops up as a flash installer on, err, "video sites" -- may in fact automatically trigger upon download. How? Well, every time Safari downloads a file with a DMG (Apple disk image) extension, it will auto-mount it when the download's complete.

That's really handy, but also a security issue, especially when you remember that there have been buffer overflow vulnerabilities in the code OS X uses to mount DMG disk images. So if a user hadn't patched against the DMG overflow, all they'd have to do is click "ok" to a bogus Flash installer notification, served from the domain apple-updates.com. OS X would do the rest for you.

My contact couldn't be 100 percent sure the sample was trying to trigger the DMG bug, but even the possibility should give us pause; it would mean the badware is getting much smarter.

To be fair, Windows still does some similar, super-daft things. The Conficker malware is currently spreading left right and centre because it's basically impossible to disable autorun in Windows without resorting to a registry hack.

The payload in the Mac malware sample in question was a 'dloader,' tasked with connecting to some shady data centre in Eastern Europe and downloading more bad stuff.

This is much more sophisticated than a script that just alters some DNS settings. It's closer in sophistication to the malware we've been seeing targeting PCs for the last 10 years.

Interestingly, we haven't seen this dloader actually grabbing a payload yet. That tells me these guys haven't bothered actually writing a serious Trojan yet -- they've just sent the first stage of the attack out there to see how many bots they wind up with.

If they get enough, undoubtedly they'll actually create some "real" malware for it, and begin distributing it to pre-infected hosts.

So that's it folks. Mac malware has arrived, and what a party it's going to be. Most Mac users are convinced they're using a magical, impenetrable platform, so they don't actually use antivirus software. Apple's advertising campaigns of yesteryear actually encouraged that mentality. Combine that with Apple's expanding market share, and the average Mac user is now a very tempting target. A sitting duck, if you will.

Enjoy the next couple of malware free months, Mac users, because you're in for a rough ride in '09.

Patrick Gray is the managing editor of Risky.Biz and the host of the Risky Business security podcast.

The online environment is just like the real world, yet for some reason many consumers completely abandon their street smarts the second they fire up their browsers. When a leather-clad, toothless ruffian is walking up and down the street saying "give me $500 and I'll come back in an hour with a computer worth $1000," everyone knows not to trust him. Yet this is the same premise by which many scams, such as online auction fraud, are perpetrated.

The success of online criminals is harming consumer confidence.

In late 2008 I released the findings of the Consumer Trust and Confidence Online Survey [pdf] which was aimed at determining the level of trust and confidence of Australian Internet users within the online environment. The survey focused on e-commerce, social networking and online safety.

There were some interesting results. For example, 35 percent of respondents were more trusting of online transactions than two years ago. That sounds great until you realise 65 percent were either less trusting or had the same level of trust as two years prior.

Considering the increasing value and importance to the Australian economy the Internet plays, these statistics should ring alarm bells for anyone with a vested interest in online commerce.

Let's dig a little deeper.

The two most important factors considered by survey respondents when considering purchasing goods and services online was the reputation of the merchant and the payment method. Now we have some actionable information that tells us organisations must boost their reputation to bolster consumer confidence. Here's how:

• Be transparent -- give honest and open responses to customer questions and feedback
• Be flexible -- recognise change in systems and behaviour and implement swiftly
• Establish a reputation system -- it's a popular feature for eBay transactions
• Reflect reality - customers (and the media) are smarter than you think [They sure are.. ;) -- ed], they can sniff out a fake quickly.

Which leads into payment methods. While plenty of organisations abide by the Payment Card Industry Data Security Standards, some just don't. Media reporting of e-commerce organisations that have been compromised with the loss of customer credit card and personal information is a weekly occurrence.

But it's not just targeted hacks that are causing problems, there are far simpler forms of fraud. Consumers have proven willing to send payment for non-existent goods to unknown beneficiaries in international destinations via money transfer systems like Western Union.

Why do consumers engage in this risky behaviour? Maybe it's because online consumers are usually at home in a relaxed and comfortable environment where they can't see the normal visual cues that make us suspicious. Like the guy who's trying to sell you the Blu-ray player is covered in prison ink and has no teeth.

In a real world transaction their radar is far better attuned to detecting the potential for fraud.

The successful integration of e-commerce into the Australian economy is dependent upon the level of trust and confidence consumers have in the digital environment.

Developing new kinds of commercial activities utilising the Internet hinges on assuring consumers that their use of networked services is secure and reliable, that their transactions are safe and that they will be able to verify information about transactions and transacting parties. There are too many organisations that have a commercial interest in establishing customer trust and confidence in online technologies for this not to be taken seriously.

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.

This week's podcast is brought to you by Tenable Network Security and hosted, as always, by Vigabyte virtual hosting.

It's a special day for us at Risky Business HQ -- we've launched our new Web site: http://risky.biz/

We now publish two podcasts, video and written news and opinion. There's also forums, so by all means go and sign up for an account! We'll see you in there.

On this week's show we're talking to L0pht/@stake/Veracode co-founder Chris Wysopal about the rebirth of L0phtCrack, the legendary password cracking package.

In this week's sponsor interview, Tenable Network Security analyst and Open Security Foundation dude Brian "Jericho" Martin pops in for a chat about dataloss -- are you more likely to lose data through a USB key, lost laptop or an actual attack?

Adam Pointon also pops by for a look at the week's news.

In this first post in our fresh new RB2 podcast feed, you'll hear Krusher's presentation to the second Kiwicon conference in New Zealand.

It was recorded in September 2008.

H D Moore has also done some interested work with wardialling. You can hear him discuss his work on WarVOX here.