Podcasts

Sure, maybe its not 1994AD any more. But let me posit this, which I culpably dub Metlstorm's Assertion:

The cost of owning a corporation is a fraction of a percent of their annual infosec spend.

Lets go with 0.1%. Can you think of any organisation you've worked for, or on, or with, or pwned that you couldn't own for the sales margin on a single Check Point device?

Let's assert the value of owning a corporation -- if you're any good at the order-fulfillment bits of crime, which I'm not -- is proportional to its market cap.

The ratio of cost-of-ownership to value-of-ownership is so low as to have an ROI to an attacker that is nearly infinite.

Stated more concisely (unusual for me, I know); the incremental cost to an attacker between not hacking you and hacking you is so close to zero we have to assume they actually do.

Which means you should proceed on the assumption that your corp is already owned.

We live in a world where our desktop machines get USB autorun worms, where a garden or variety botnet worm owns entire Ministries of Health, where insider attacks are commonplace, where biometrics doesn't work, where routers are backdoored by offshore manufacturers with various political goals, where we pay janitorial services staff minimum wage because they've only got physical access to, well, everything via their trivially clonable RFID proxcards running on building management software off a crappy old NT4 box in the basement. Ok Metl. Breathe.

You see where I'm going with this. There is no infosec industry. We're just doomsayers who take the chumps money while they've still got it, and when they don't we just scare the next lot senseless until someone pays up. We don't actually improve anything.

The infosec industry is a trinity; the boxpushers (vendors), the chumps (the users), and the doomsayers (us, the pentesters).

Boxpushers sell kit to the chumps, who've been goosed into thinking they need it. The doomsayers occasionally pity the chumps, but are generally stuck in io-wait, writing off the boxes being pushed as useless, impractically complex, and that highest criticism of all; boring.

Us doomsayers take the chump's money, then tell them in excruciating and savage detail how much they and the boxes they got pushed suck.

And they invariably do.

When we're on a typical gig we sit around, amusing ourselves intellectually by doing something we'd all probably just do for fun anyway, call it work, and then tell the chumps in serious sounding language quite how poked they are today.

There is doom. Unending grimness. Like the darkened frostbitten forests of Ukranian blackmetal album covers.

Hell, in the case of boxpushers, they actually make it worse (Hi mail antivirus gateways! Hi IDS consoles, hi shatter-prone desktop asset management and patch deployment solutions, giving up localadmin like [security researcher] Brett Moore slipped you his best Mr December smile under the digital cyber eMistletoe.)

I ask you again -- is there any corporation you've seen where the upper bound of cost to own them wasn't proportional to the janitor's hourly rate? We all know, deep in our guts, that we could own anyone. And we wouldn't be doing it with Ben Hawkes' heap technique -- that stuff's for impressing cons and talking shit in bars, not wasting on actual attacks. We'd just roll like it was 1994AD; and we'd win. Every time. You know it. And how much would it cost? To own a bank, a telco, an ISP, a critical infrastructure provider? Really, we all know the turgid, sodden, doomladen truth.

How much would it cost?

Yeah. Exactly. Fractions, my man. Fractions of a percent.

Metlstorm is a New Zealand-based freelance security consultant. He's created several tools including Hai2IVR, Winlockpwn and SSH_Jack. He's also an organiser of the annual Kiwicon security conference in Wellington, New Zealand.

1. Misunderstanding.

Don't treat PCI DSS as a purely technical standard. A few minutes browsing through it and you'll know why -- there is a stack of technical requirements.

Usually, however, it's hard to meet the technical requirements without first taking care of policy issues. For example, it's a bit backwards to install new firewall when you don't yet have configuration standards.

The trick for achieving compliance is to read the PCI DSS backwards. Start at requirement 12 and have your risk management framework in order, then your policies, then procedures, configuration standards, then implement it, and audit it.

Don't let a technical manager own your PCI compliance responsibilities. The path of least resistance is down, and generally the most difficult challenges for compliance are within the business and business process -- not technology. Make sure PCI lands on the desk of someone who has the authority to enforce it throughout the organisation.

That said, of course the staff responsible for PCI DSS Compliance need to have a full and complete knowledge of the standard. Someone with "just enough" knowledge of the standard can be dangerous and wind up costing you more than you bargained for.

2. Misinterpretation.

The requirements and the priorities of the standard are well laid out by the PCI council, but it is important to fully understand the scope of compliance within your business. If you have card data used across many systems, you cannot be compliant as an organization until ALL cardholder systems are compliant.

Many fall into the trap of investing too much time and resources into deciding on the minimum effort required in order to achieve compliance. It buys time from the banks, but it's not a long term approach.

This distortion of the intent of the standard is not only damaging to compliance, but can distract from the security of your organisation as a whole. Apply PCI in accordance with the "spirit" of the rules.

3. Validation.

Validation is not compliance, and compliance is not validation. While organisations that come under PCI DSS must be fully compliant at all times, validation is periodic and its rigour depends on the size of the merchant.

If you are genuinely compliant, staying that way will not be hard, and passing a validation check won't be difficult. If you've cut corners to do the absolute minimum, ongoing validation is when your poor approach will bite you on the ass. Also remember you could be asked to validate your compliance at any time -- especially after a security incident.

4. Cause.

The specific requirements of the PCI DSS are nothing extraordinary, rather they are generally considered to be best practice. If you're not compliant, you really have to ask why.

For each and every point, find out what the root cause of non-compliance is. Is it poor risk management? Lack of resources? Legacy systems? While this can be an overwhelming task at first, if it's performed from a top down approach (as suggested in the first point) it will pay dividends.

5. Framework.

An ad-hoc approach simply does not work. Tying it all together into a framework is the only way to achieve continued compliance. This must cover and have support from all aspects of the business that PCI touches. This can be everyone from HR, project managers, data entry staff, receptionists, etc. Have a plan and work to it.

6. Beware Snake Oil.

You may have noticed the discussion of specific products has been avoided. That's deliberate. There are endless combinations of products that can be used to achieve compliance, but there is no specific product that is required for compliance. If anyone suggests otherwise to you, vendor, QSA, consultant etc -- you are best to politely escort them from the building.

Declan Ingram works for Securus Global, a Sydney-based security consultancy. He has a pwnie-tail and likes to fly aeroplanes dangerously.

The idea was simple. We'd install a bunch of anti-virus products and see who could modify existing viruses to sneak them past detection engines. There'd be beer and banter, a fun afternoon. It wasn't really a scientific contest -- most of the functionality of the scanners was actually turned off. We'd only test the CLI-based signature and heuristic components of the suites.

I'm one of those poor, poor souls who's been forced to repeatedly deploy appalling, sub-standard, anti-virus shit in enterprise environments over the last few years. Sick of trying to fight a virtual wildfire armed only with the IT equivalent of a warm leaf of lettuce, my friend Rich and I decided to stage RaceToZero as a form of protest.

We'd show the world just how awful antivirus software had become. The world would finally understand our pain.

When we announced the contest, some AV commentators and journalists went virtually lost their minds. The first RaceToZero contest, held at DEFCON XVI in Las Vegas last year, was indeed a tad on the controversial side.

Some commentators seemingly expected the headless horseman of the Apocalypse to come riding through the casino when the contest began. Kasperky antivirus founder and CEO Eugene Kaspersky actually compared the Race To Zero with bank robbery and the distribution of narcotics to children. In the minds of some, we were showing the bad guys how to do stuff they couldn't have learned on their own.

Others were a tad friendlier. They saw RaceToZero for what it was -- a bit of fun designed to demonstrate the ineffectiveness of signature-based antivirus technology as a sole method of defence against modern threats.

Either way, we didn't expect the publicity we got last year. In the words of George Carlin, the whole thing turned into a "huge, prick-waving dick fight". A circus, if you will.

So we're doing it again.

To live up to our critics we had planned a HERF gun making contest (hai2EugeneK) but decided on slipping viruses past AV products again instead. The friendly team from OffensiveComputing.net provided the samples we used last year and this year will be taking over the running of the competition.

RaceToZero is still my baby, but I'm happy to send it off to temporary but loving foster care.

OffensiveComputing.net's extensive knowledge of malware, reverse engineering and all things anti* will definitely lift the contest to another level. It won't be as half-assed as last year, (it's more likely to be fully-assed) and may actually produce some results that can be seen as useful benchmarking for endpoint security products.

The Anti-Malware Testing Standards Organization (AMTSO) has published guidelines for dynamic testing and RaceToZero will stick to them.

That means getting all fancy and scientific. As much fun as the last contest was, we didn't really prove much. This time we're trying to create a methodology that might actually tell the people responsible for buying endpoint security something useful, like which products did better.

That's right, vendors, you really should be scared now. We're going to empirically show the world how useless you are, instead of just heavily implying it.

While this balanced, unbiased testing of behavioural AV engines is happening, there will be a live scoreboard so that contestants and spectators alike can see how well the teams are doing and how effective each engine is at detecting the threats.

Another upgrade to the contest is automated unpacking and analysis of samples submitted by contestants, which will be validated against the contest guidelines.

Over the coming weeks more information will become available on the RaceToZero Website and the DEFCON Forums, we look forward to seeing all past and future contestants in Vegas again this year!

bogan \\m/

Bogan is security engineer and researcher from .nz. He is also instrumental in the organisation of Kiwicon, New Zealand's real-deal security conference. In his spare time bogan likes cooking, wearing black and admiring a good burnout.

Thanks to a stellar effort by Gold (his real name, no kidding) at Evolved Development, we've been able to put together what we hope will be Australia's premier information security news site.

Along with the regular Risky Business podcast, Risky.biz will host:

• The Risky.biz blog:
  • We hope to have several dozen contributors from various sectors of the infosec community on board within the first few months. Get the inside scoop straight from the horse's mouth. Giddy up! Nyeeeeeeah!
• News articles:
  • We also plan to publish news articles written by professional journalists in the blog feed. They will be labelled NEWS:
• Risky Business 2, or RB2
  • Risky Business 2 is our new, second podcast. In Risky Business two you'll hear talks as recorded at various conferences, as well as single-shot interviews recorded by Risky.biz staff and freelance contributors. The RSS feed will include sponsored content, but it'll be clearly labelled.
• Forums
  • Once you sign up for an account you can join the conversation!
• Video
  • This section will take a little while to get rolling, but we plan on bringing you video features from interviews to HOWTOs.
• Webinars
  • Within a couple of months we'll be rolling out a new site section called "The Pitch", a monthly Webinar hosted by security vendors who want to make sweet, sweet love to Risky.biz readers, listeners and viewers.

The Risky Business podcast first launched in February, 2007, and has published 100 editions, along with special content recorded at conferences like AusCERT, GovCERT, Kiwicon and Ruxcon.

We hope we can make a red-hot go of this site in 2009, despite business conditions being, err, sub-optimal. Speaking personally, I look forward to getting to know you all through our forums. So what are you waiting for? Sign up and let's get started!

Patrick Gray
Managing editor
Risky.biz

Risky Business is brought to you this week by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

This week's feature is all about wardialling. H D Moore pops in to discuss his latest project, WarVOX.

WarVOX is a wardialler with a difference -- instead of trying to connect to any modem that may be found when you're dialling, WarVOX just records a snippet of audio when the line answers, then analyses it to see what it is.Risky Business is brought to you this week by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

This week's feature is all about wardialling. H D Moore pops in to discuss his latest project, WarVOX.

WarVOX is a wardialler with a difference -- instead of trying to connect to any modem that may be found when you're dialling, WarVOX just records a snippet of audio when the line answers, then analyses it to see what it is. Think of it as nmap for the PSTN.

Juniper Networks Senior Security Research Manager Steve Manzuik is this week's news guest, and Steve MacDonald checks in for this week's sponsor interview.

If you'd like to comment on anything you've heard on Risky Business, or suggest something you'd like to hear on the show, you can call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

We'll be sure to include your comments in next week's show!

The music heard at the end of this week's show is by Peregrine. Buy their stuff! See their shows!

This edition of Risky Business is sponsored by Sophos.

On this week's show we take a look at a recent survey [pdf] released by Oracle in conjunction with the Independent Oracle User Group.

It found 11 percent of Oracle administrators had never applied a critical patch. In fact, 70 percent of Oracle DBAs surveyed were at least three months behind the patch release times.

How did we get here? Securus Global's Declan Ingram pops in to discuss the possible root cause of such startling data. Race To Zero organiser and master chef Simon Howard also shares his thoughts on database host security.

Paul Ducklin pops by for this week's sponsor interview. We ask Paul how endpoint security providers like Sophos can be expected to battle 0day threats such as the recent PDF and Excel flaws.

If you'd like to comment on anything you've heard on Risky Business, or suggest something you'd like to hear on the show, you can call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

We'll be sure to include your comments in next week's show!

UPDATE: Due to a production glitch in the original podcast recording, certain audio snippets (music, bumpers) were incorrectly rendered. The file has been fixed and replaced!

Yeah yeah, we've all heard about the threat from social networks -- employees post juicy information that attackers can hoover up during reconnaissance. But what if a determined attacker actually infiltrated the social network that exists between your employees? What if they then used that trust to phish for VPN passwords?

That's what the guys from the Snosoft research team claim to have done in a recent customer engagement, with spectacularly successful results. You can read their post here.

Melbourne-based CSO Adam Pointon joins us to discuss the idea.

This week's show is sponsored by Microsoft. Mike Reavy of the MSRC pops in this week to explain Microsoft's exploitability index, and Adam Boileau joins us for the week's news.

This week's edition of Risky Business is brought to you by the fine folks at Check Point Software. They've been making firewalls since 1645!

On this week's show we take a look at the issue of mobile security. You'll hear an excerpt from Fionnbharr Davies' talk at Ruxcon in which he outlines the horror that is an iPhone turned against its master.

After that we check in with Rick Howard, the director of iDefense Labs' in the USA. Despite every vendor under the sun predicting the birth of the mobile hacking age since the year 2000, Rick says 2009 is shaping up as the real deal.

Steve MacDonald from Check Point also swings by for this week's sponsor interview -- the topic? Firewall optimisation software. It's hot right now. So hot. Hot like Hansel.

Risky Business will be late next week -- expect it to be up on Friday. If you'd like to leave feedback for our audio mailbag, you can ring:

Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)

This week's podcast is sponsored by Tenable Network Security and hosted by Vigabyte virtual hosting.

On this week's show we chat to the head of iDefense Labs, Rick Howard. He joins us to discuss the threat posed to organisations from disgruntled ex-staff. Layoffs have been ramping up, and we've already seen two high-profile incidents involving cranky admins burning down the house, or at least trying to.

Rick also chimes in with his predictions for 2009.

In this week's sponsor interview we chat to Tenable Network Security's CEO Ron Gula, who'll fill you all in on the new, whiz-bang bundle containing Immunity Inc's CANVAS exploitation tool and Tenable's own Nessus software.

This week's news is huge. Munir Kotadia joins us from a small resort island off the coast of Malaysia to discuss the headlines. No joke. Bastard.

You can find the link to the phpbb.com hack here.

Donations to the bushfire relief fund can be made to the Red Cross here.

And don't forget to leave feedback at our voicemail boxes:

Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)

This week's edition of Risky Business is brought to you by Sophos and hosted, as always, by Vigabyte virtual hosting.

On this week's show we ease back into the year by chatting with Neohapsis founder and CTO Greg Shipley about the ineffectiveness of security technologies and the rise of DLP.

Munir Kotadia stops by with this week's news, and Paul Ducklin from Sophos talks Conficker.

If you're interested in the CERT advisory on Autorun mentioned in the news, you can find it here.

And while it's not mentioned in the show, there's an interesting PDF the team at GOVCERT.NL put together on the md5 SSL thing. Grab it here.

If you'd like to leave some feedback for the Risky Business audio mailbag, call the following numbers and speak your mind! You might just hear yourself on next week's show...

Australia: 02 8569 1835
USA (Toll free): +1 (877) 688-8417