News and Opinion

An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems.

The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here.

McAfee Australia leaked 971 customer e-mail addresses in a botched e-mail marketing campaign last week.

The addresses of the recipients were placed in the visible TO field instead of the BCC field.

It's an all-too-common mistake, made especially embarrassing for McAfee because it's not the first time in recent memory something like this has happened.

Infosec reporter Brian Krebs published a splendid post a couple of days ago that apparently unmasks 760 victims of the same group that owned RSA.

I've had a look through the list and pulled out all the Australian organisations I could find. From the looks of things this list was compiled by observing computers connecting back to evil C&C in China. That would explain why there are so many ISPs listed -- it's likely it wasn't the ISPs that got pwnz0riz3d, it was their customers.

Australian security researcher Patrick Webster has received a letter from commercial law firm Minter Ellison demanding he turn over his computer to its client First State Superannuation.

The legal threat follows Webster's disclosure of a serious and trivially exploitable security vulnerability in First State Superannuation's website to the company in September.

Listen to my interview with First State Superannuation's Chief Executive Michael Dwyer AM here.

Well-known Australian information security professional Patrick Webster has been visited by NSW Police officers following his disclosure of an embarrassing Web application security bug to his superannuation fund.

By now you've likely read about the German Chaos Computer Club's (CCC) reverse engineering of the so-called "Bundestrojaner," or "federal trojan".

Someone found a copy of a remote access trojan in the wild, claimed it was government spyware and submitted it to CCC for analysis. The resulting publications give us a bit of an insight into at least one country's alleged "computer tapping" capabilities.

Over the last couple of weeks you may have spotted some news stories floating about claiming cybercrime costs society US$388bn annually, with Australia alone suffering A$4.6bn in yearly losses.

If the numbers are to be believed, these reports say, that means cybercrime costs us nearly as much as the global trade in illicit drugs. It's a sensational claim and makes an awesome headline, but any way you slice or dice the numbers they just simply don't stack up.

It seems the bad guys are targeting Australian Internet users this week. I got a few of these this morning, as did a couple of Risky.Biz listeners:

From: rules@abr.gov.au
Date: 14 September 2011 10:05:53 AM AEST
To:
Subject: Attention for the ABN owners
x-original-to: REDACTED
x-mailer: azzgnshjz.46

Australian Taxation Office together with Australian Business Register
wants to inform you that starting from January, 1 2012 new rules of use of ABN number are being introduced.

The changes will concern:
- GST credits;

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.

The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.

As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions.

The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS".

So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right?

Wrong.