Podcasts

It's been 24 hours since Risky.Biz published a news story about several vulnerabilities -- CSRF and XSS bugs -- found in McAfee's secure vulnerability scanning service.

The story has gone global, with outlets like News.com and The Register picking it up.

So we got Mike on the phone to discuss his research. As it turns out, McAfee is just the tip of the iceberg. Bailey says this is a much bigger issue affecting most PCI scanning vendors.

You can find our original news story here.

A Cross Site Request Forgery (CSRF) vulnerability uncovered in McAfee's "secure" vulnerability scanning portal would have allowed attacker to take control of client accounts. The portal is designed to scan customer websites for security vulnerabilities and fulfil some PCI DSS compliance requirements.

To fall victim to the attack the target would have to be logged in to their McAfee account and browse to a malicious website that exploited the CSRF bug.

Commenting on his CSRF discovery, security researcher Mike Bailey didn't pull punches. "Until last week, McAfee Secure was vulnerable to critical CSRF holes," he wrote on his blog. "Not little ones, or ones that were difficult to exploit. [These are] basic, zero-knowledge, classic GET-based total-account-compromise holes."

McAfee did not comply with PCI requirements for Approved Scanning Vendors as defined by the PCI Security Standards Council, Bailey claims, and believes the company failed to use a secure software development lifecycle when building the application.

Furthermore, a penetration test should have caught the problem, he wrote, thus he concludes "no such audit has taken place".

Another, seemingly unrelated Cross Site Scripting (CSS) bug in a McAfee website allows miscreants to create pages that appear to be hosted on McAfee domains, when in fact the content is being served from elsewhere. Worse, no SSL errors would be generated in this attack, so even a vigilant user would be fooled.

SecureScience.net has demonstrated the attack by creating a "buy now" page for McAfee products, which, if a user clicked through to that page, would steal their credit card number and deliver a trojaned version of McAfee's product. (Click here for the dummied up CSS'd page. It won't bite.)

It's feared spammers could exploit the bug to offer seemingly legitimate "special deal offers" on McAfee products, using the CSS bug to create a genuine-looking purchase page with a valid SSL cert. McAfee, presumably, is scrambling to fix this second issue.

Ironically, marketing material for McAfee's secure scanning portal claims the service detects CSS vulnerabilities.

Sydney-based security consultant Chris Gatford, who works for Pure Hacking, believes the disclosures highlight an all too common hypocrisy among security providers. "It's a sad fact that many security service providers do not practice what they preach," he says.

Others thought the revelations were nothing short of hilarious. One local PCI Qualified Security Assessor (QSA), who did not want to be named, described the news as hysterical. "If there was a vote for lolz of the year I would be voting for McAfee Secure," he says. "That's just stunning."

McAfee isn't the only security vendor to wear egg on its face this year. The website of antivirus software maker Kaspersky was defaced in February. The website of BitDefender, another AV vendor, was also defaced.

Risky.biz sought comment from McAfee, but due to time-zone differences it was unable to offer any response in time for deadline.

In June, Internet piracy as we know it turns 10.

It was June 1999 when Napster first hit the 'net, providing tech-savvy computer users with unfettered and free access to the largest catalogue of music ever assembled.

Napster was a brilliant piece of software. It allowed Internet users with Napster installed on their systems to "share" their digitised music collections with all and sundry. That meant limitless, free access to digitised recordings normally sold on CD.

Not surprisingly, music industry executives hit the roof. They dispatched the litigation drones and the service was effectively shutdown in July, 2001 after a fierce court battle in California.

Despite the fact the service was found to be illegal and shut down, Napster had already ushered in a cultural shift among those who'd used it. Consumers found the facility to download any song, virtually instantly and for free, addictive.

A few months after Napster bit the dust Apple released the iPod music player and digital music well and truly hit the mainstream. A host of Napster equivalents popped up all over the world to satiate consumers' newfound appetite for massive personal music catalogues.

There was eMule, eDonkey, Kazaa, Limewire, BitTorrent and so on. BitTorrent survived as the strongest standard -- it's technically robust and relies on websites, not a built in feature, to list catalogues of files for "sharing". That means it's hard for the copyright lobby to sue the makers of the software. It's the operators of the index website the copyright cops have in their sights.

The Pirate Bay is one such BitTorrent index, and it lists more than just music. (Note the use of present tense. Despite the conviction of The Pirate Bay Four, the site is still running in another jurisdiction.)

These days piracy is a problem for the movie and television industries as well as the music business. The proliferation of broadband services makes downloading video through peer-to-peer software easy, and piracy is rife.

There have been various approaches to combating illegal file sharing and some have been absurd. For years the recording industry in the USA engaged in a systematic campaign of litigation against individuals suspected of piracy. In one famous case a 12-year-old girl living in public housing in the USA was forced to settle a Recording Industry of America Association (RIAA) law-suit.

A side-effect of this aggressive war on technology was the creation of a counterculture that believed piracy was actually ethical. As much as it scared the willies out of many would-be file sharers, the recording industry's thuggish behaviour made stealing from it feel just.

Today, however, it's harder to see how music piracy can be considered ethical in any sense. It's possible to buy music online through services such as Apple's iTunes Music Store and NineMSN. In addition, many artists choose to release their music on to the Internet as free downloads. They happily bypass the music industry and encourage people to share their tunes.

The music is out there, and there are legitimate ways of getting to it.

This is where it gets interesting. Many Internet users who'd download massive amounts of pirated content would justify their behaviour by insisting they would pay for the content if it were available to them online. Well, now it is.

Many movies are also available online as paid downloads and some TV shows are now made available online for no charge at all. It's all going online.

Tivo has just launched a pay-per-download movie service for its customers through home entertainment chain Blockbuster.

TV networks are also getting in on the action. The Nine Network, for example, has made the current series of Underbelly available for download from its website. It uses a special video format that allows Nine to insert demographically targeted ads into the videos and disable the recordings on the user's machine when the series ends. That way DVD sales are preserved, the content is ad supported and consumers are happy.

This is the future. Television shows, movies and music will all be primarily distributed online. Some will be ad-supported, some will be pay-per download. Once this marketplace has been established, the argument against piracy starts to look like a slam-dunk. High-profile websites like The Pirate Bay will be shut down to preserve the new market, and so they should.

That doesn't mean piracy will completely disappear. It's a part of the rich tapestry of modern life and content producers need to accept it as such, just as it did when video and cassette recorders came along. (Tape-to-tape devices and mix tapes were supposed to be the end of the world back then, remember?)

Small online communities supporting the sharing (or piracy) of niche content (like, old cop shows, for example) will survive -- copyright holders are unlikely to pursue these operators aggressively. But The Pirate Bay was a flagrant smorgasbord of pirated content. Its operators even used to publicly ridicule copyright lawyers seeking to have specific content removed.

They earned the charges against them. Whether or not the state-funded investigation and prosecution in criminal courts was a good use of Swedish taxpayer money is a matter for debate.

The fact is lawsuits like the one against The Pirate Bay are just growing pains. They're a result of the friction between Gen Y types who want it all now and the copyright lobby's embarrassing attempts to litigate its way out of having to alter its business model. But we're getting there.

High profile piracy is on the way out, online video stores are on the way in.

But if you happen to have series three of Deadwood in a digital format, give me your address. I'll pop over with my portable hard drive for a cup of tea.

I doubt we'll get sued.

Patrick Gray is an Australian technology journalist and publisher specialising in IT security. In 2004, he covered the music industry's federal court lawsuit against Kazaa for Wired News. These days he is the host of the Risky Business IT security podcast.

This week's edition of Risky Business is brought to you by Tenable Network Security and hosted by Vigabyte virtual hosting at discounted rates.

We've got a great show this week. Australia's welfare agency, Centrelink, has written its own smart card authentication protocol and it's released it to the public. It's called PLAID and the plan is to have it recognised an ISO standard. It's an extremely ambitious project and Centrelink's smart card architect Glenn Mitchell will be along to talk about it.

We also chat to Tenable Network Security's Marcus Ranum in this week's sponsor interview. We spoke about the recent hysteria around Chinese hackers apparently downloading the plans for America's Join Strike Fighter.

Freelance security dude Adam "Metlstorm" Boileau is this week's news guest.

We'd like to hear your thoughts on PLAID, too. Do you think it's a waste of time and taxpayer money or a masterstroke? Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)... or go to the risky.biz forums.

Australia's welfare agency released the the draft implementation of PLAID last month. It created the new protocol because off-the-shelf solutions didn't match Centrelink's "business needs," Mitchell says.

He now hopes crypto-geeks all over the world will rip into the software, now in its second draft. "We need to make sure it's as secure as we believe it to be," he told the Risky Business podcast. "There may be issues... if anyone does any issues with it then we're more than happy to take feedback on board and see what we can do to review it."

Off the shelf solutions allow contactless smartcards to be identified via passive sniffing, Mitchell says. Even a PKI-based solution will allow an observer to intercept some static information that could be used to identify specific cards.

"[PLAID is] designed for privacy and security," Mitchell says. "For what we're issuing here at Centrelink there's a lot of traffic transmitted from the reader to the card and the card responds through the airwaves. That traffic... possibly if it had static information or determinable information, could identify the card holder."

With PLAID, he says, there's "no way to identify the card involved in the transaction".

While Mitchell recognises "rolling your own" cryptographic systems is risky, he says the use of well established, peer-reviewed cryptographic algorithms within the PLAID protocol will insulate Centrelink from the worst kind of mistakes.

"I completely agree. Rolling your own crypto is definitely not the done thing. History has shown us [it's] always a bad idea," he says. "[But] PLAID isn't a cryptographic algorithm, it's a protocol... it uses two algorithms, the first being the RSA cipher, the second being Rine-Dale."

The agency will roll out an off-the-shelf PKI-based smartcard system before upgrading the cards to use the PLAID protocol when, or if, it becomes ready.

While Mitchell hopes vendors will adopt the new protocol, he says most have shown reluctance to embrace a protocol that isn't recognised as a standard. "Once it is standardised... then we expect to see a little more enthusiasm," he says.

The plan is to have the protocol recognised as an Australian standard and eventually an ISO standard.

Click here to listen to the full interview with Glenn Mitchell in the Risky Business podcast.

It's just another way to get full privileges once you have physical access, but it looks nice and simple and even supports Windows 7 for Chrissakes!

It's free and you can get it here.

This week's show is brought to you by Check Point Software.

This week's show is a bit of a mixed bag. We chatted with 451 group analyst Paul Roberts live from the floor at the RSA conference in San Francisco. Then for something completely different we quizzed Adam Pointon about his adventures with X10 home automation equipment.

Check Point Australia's Steve MacDonald is this week's sponsor guest, and Adam Boileau was this week's news guest.

To answer this week's call-in question, tell us what your experience with DLP software's been over the last year. Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

Handing down a year in the big house is a strong deterrent against those who may consider doing this type of thing in the future, but is it really the best judicial outcome?

The Swedish cops raided The Pirate Bay a couple of years ago and seized servers, but even this action didn't shut the site down. The investigation was well handled, but surely police resources should be dedicated to more serious crimes.

While intellectual property theft is bad, it is more of a civil tort rather than a wrong against the state. The International Federation of the Phonographic Industry (or IFPI, which has ex-cops working for it) and its regional subsidiaries are very active in pursuing those involved in deliberate infringement of copyright on a commercial scale, and they are effective in doing so.

They conduct their own investigations and have chalked up some impressive wins. And there are lots of good reasons for taking civil action as opposed to criminal prosecution. Civil cases are easier to prove; balance of probabilities v beyond reasonable doubt. They are more in control in a civil trial -- as opposed to the vagaries of the criminal system; and they can gain a better outcome -- a negotiated settlement v drawn out trial.

But this time the assault against piracy went down the criminal route. So in addition to the law enforcement resources required to handle the investigation, significant criminal court resources were tied up in the subsequent trial, and it's not over yet. Even though a decision has been reached, appeals and cross-appeals will play out for years to come.

And what about the sanction? In Australia and many other jurisdictions gaol time is reserved for very serious offences and violent criminals. More people in custody does not equal lower crime rates or lower recidivism rates. Prison should only be used as a means of last resort and there are alternatives to incarceration.

Not only are they cheaper for the taxpayer, but non-custodial sentences for copyright infringement better suit the characteristics of the offenders and their crimes. Better options include home detention (without internet access of course), community service orders and fines.

It's worth noting that despite the massive effort involved in this investigation and trial The Pirate Bay site has been moved abroad and is still active.

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.

This week's podcast is brought to you by Microsoft and hosted, as always, by Vigabyte virtual hosting.

On this week's show we hear from Bryan Sartin of Verizon Business Security Solutions. He'll be discussing that company's 2009 Data Breach Study.

Verizon has a well-established forensics unit and its reports are interesting. This study is to the infosec industry what black box reports are to the aviation industry; a post mortem examination of what went wrong.

We also check in with Stuart Strathdee, Microsoft Australia's Strategic Security Advisor in this week's sponsor interview. He'll be chatting about Microsoft's own Security Intelligence Report. There's some really surprising results to come out of that one.

Paul Craig is this week's news guest.

The report is essential reading; the post-mortem analysis of data breaches is to the information security industry what black-box flight recorder information is to the aviation industry. By understanding where things have gone wrong, we can avoid repeating the mistakes of some of our peers.

A phone interview with the company's director of investigative response, Bryan Sartin, has been recorded and will be included in Risky Business #104, which is due to be published in the next 24 hours.

In the mean time, the 52-page report can be found in pdf form here. It's a must read for anyone working in enterprise security.

The report makes some fairly sweeping claims about dataloss trends. Take them with a grain of salt. The statistics the company is presenting here are cobbled together from its investigation of approximately 100 dataloss incidents.

When forming your own opinion about the information presented, keep in mind the company can only put forward statistics drawn from jobs it worked on. There are many providers of forensic services. A big uptick in the number of breached records Verizon has investigated doesn't necessarily mean there's been more breaches; it could just mean the company's forensics department has grown.

That said, a report containing this much gory detail on dataloss incidents is still valuable to anyone charged with securing enterprise data.

DISCLAIMER: The following text came from a press release issued by Verizon Business:

The financial Industry accounted for 93 Percent of incidents investigated by the company, which claims most of the breaches reported to it were avoidable.

The study, based on data analysed from Verizon Business' caseload of 90 confirmed breaches throughout 2008, revealed corporations fell victim to some of the largest cybercrimes ever during 2008.

Nine out of 10 breaches were considered avoidable if security basics had been followed. Most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.

Similar to the first study's findings, the latest study found that highly sophisticated attacks account for only 17 percent of breaches. However, these relatively few cases accounted for 95 percent of the total records breached -proving that motivated hackers know where and what to target.

Key Findings of the 2009 Report:

• Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
• Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
• In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organisations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.
• Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.
• Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
• Being PCI-compliant is critically important. A staggering 81 percent of affected organisations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.