Podcasts

Well, hasn't this been an interesting AusCERT...

If you haven't heard by now, Fairfax IT journalist Ben Grubb was briefly detained by QLD police yesterday afternoon in connection to a BSides Australia security presentation delivered on Sunday.

The presentation, by Christian Heinrich, demonstrated a brute-force attack against Facebook's Content Distribution Network. I didn't see the presentation myself, but the long and short of it is the vulnerability demonstrated allows the attacker to obtain Facebook users' private photos.

So how did the police become involved?

Well it's no secret that Christian doesn't particularly enjoy the company of Chris Gatford, a security consultant who runs a small outfit called HackLabs.

I should point out right now that I, myself, don't particularly enjoy Christian's company. In the past he has been a very vocal critic of the Risky Business podcast and me in particular. I don't like him, and I'm fairly certain he doesn't like me.

Where the presentation became an issue for police is when Christian demonstrated the attack against Gatford's wife's Facebook account. He brute-forced some of her photos and displayed a photo of Chris with his young son to the BSides attendees.

I believe he may have blurred out the child's photo, but I haven't confirmed that.

Chris Gatford was livid.

Most of the journalists attending the conference were aware of the presentation but chose not to pursue it as a story. It looked like a case of rivalry between two guys who don't particularly like each other. The Facebook bug is a good one and I planned to mention it in the show, but the angle around the photos, in my view, just wasn't worth bringing to the world's attention.

Sydney Morning Herald online reporter Ben Grubb took a different view.

He published this story, along with the photo of Chris Gatford and his son.

The face of Chris's child was definitely blurred for publication, but I believe posting it was a poor decision on Fairfax's behalf. The Herald editors eventually cropped Gatford's child from the picture, then pulled the picture in its entirety later.

So why was Ben detained?

Well it seems he had been in communication with Heinrich in regard to the attack against Gatford's wife's Facebook account. It is my belief that Ben was detained and his iPad seized so the police could obtain evidence from the iPad in order to consider the preparation of a prosecution brief against Heinrich. This is just my suspicion -- I don't have any solid evidence at all to suggest that a prosecution brief is being prepared or that Heinrich has broken any laws.

If the police decide to pursue the matter, it's possible there could be some issues around unauthorised access to data. A solicitor also might have an opinion on whether cyber-bullying laws apply here -- using a carriage service provider to stalk, intimidate or harass -- that sort of thing. Those offences are taken quite seriously under Australian law. To be clear, at this point no one has suggested that Heinrich has used the Internet to stalk, intimidate or harass anyone.

The reason it was easy for the coppers to seize Ben's iPad is it may be possible for the police to argue he had committed an offence that's in some way equivalent to being in possession of stolen goods, the photos. I sincerely doubt he will be charged with anything, and it remains to see if a prosecution is brought against Christian. It may not be.

And that's pretty much it. Brian Hay of QLD police did a press conference this morning that I didn't bother attending. Of course this whole event is getting way more attention than it should.

It's also important to note that Heinrich's presentation was to BSides Australia, a pre-AusCERT event. It wasn't an AusCERT talk as has been reported.

I haven't approached anyone to ask them for a response to this post. It's just a summary of what I believe to be the case. I'm sick with a cold, jetlagged as hell, and frankly there's other work I'd rather be focussing on.

To sum up: Meh.

You're about to hear a full presentation recorded at the AusCERT conference. Scott McIntyre is a recent immigrant to Australia... he used to work for XS4all in the Netherlands, but these days he works as the Senior Technology Architecture Specialist in Security Operations for Telstra in Melbourne. His presentation is all about his views though, not those of Telstra. Disclaimer. Etc.

His talk focuses on what he calls the IT Security Generation Gap. Too often are today's security policies written and enforced by people who don't "get" social media, the public Internet, iPads and BitTorrent. But at the same time, anyone with an infrastructure to secure needs workable procedures and tooling to protect their data and systems. His talk covers common failings in this generation gap and provides guiding principles to close the gap and reduce exposure.

You're about to hear a full presentation recorded at the AusCERT conference: a great presentation by Mark Newton, an engineer with Internode, all about IPv6 security.

Internode is an ISP and Mark really knows his stuff. We all know security considerations in IPv6 aren't exactly thrilling, but Mark managed to actually make this presentation interesting and a little bit thought provoking. I was popping in and out throughout this session and yeah, it was definitely more interesting than I was expecting. So here it is!

Our coverage of the conference is brought to you by the fine folks at Microsoft -- without their support, there would be no AusCERT podcasts, so big thanks to MS!

As a part of that sponsorship Risky Business is posting a few sponsored podcasts -- this is one of them, an interview with Microsoft's Identity specialist Paul Conroy. In it, we discuss what enterprise customers out there are actually looking for, as well as having a bit of a chat about SAML 2.0 -- an authentication protocol that you can use... and I can't believe I'm going to say this. In the... cloud. I said cloud. I'm sorry. But listen to the interview, it'll make sense.

This podcast is an AusCERT talk by Ian Appleby. He's the Information Security Manager at Endeavour Energy and he's responsible for the security of its Corporate and SCADA Systems.

The talk is on Risk Management in a Smart Metering Environment.

In this interview we hear from Tim Hudson, an independent cryptography dude, who, as you'll hear, may or may not have worked on Queensland's Smart Card drivers license project. Absurdly, on legal advice, he can't actually tell us if he worked on that project.

There were mutterings in the Queensland state parliament some time ago about a project consultant criticising the rollout... the minister responsible also said something about the department exploring legal options to shut said critic up. Geez, I wonder if it was Tim?

Tim did a presentation here at AusCERT earlier today... I asked him to tell me what he spoke about.

You're about to hear a presentation by Jason Larsen, a security researcher at the Idaho National Laboratory. The INL is run by the US Department of Energy and is home to the National SCADA Testbed (NSTB) and the Industrial Control System CERT(ICS-CERT).

I'm going to read from his talk synopsis here: The first half of Jason's presentation will be an overview and update on what's happening in control. In most cases, simply sending properly formatted commands to the field equipment is enough, but there are cases when this does not achieve the attacker's goals. If the field equipment contains sanity checks, the attacker needs sub-second control, or if he simply wants to hide, he will invade the field equipment. Understanding the challenges the attacker faces are essential for any sort of investigative or forensics effort. The second part of the presentation will cover attack and forensics of the embedded systems used in industrial control systems.

We were a couple of minutes late plugging into the desk, so we'll pick up Jason's talk just a few minutes in.

You're about to hear an excerpt from the opening keynote from the AusCERT conference by comedian Bennett Arron.

Several years ago Bennett Arron was in serious debt. He owed thousands of pounds to mobile phone companies, catalogues and department stores. But it wasn't him! As it turned out, he was a victim of Identity Theft.

Years later, he wound up writing a comedy show about his experience... he eventually directed and presented a Documentary for Channel 4 called How To Steal An Identity.

In it he actually stole the identity of the then Home Secretary, Charles Clarke.

He was arrested over it, but you'll be pleased to know he was never convicted.

Anyway, Bennett was kind enough to allow Risky Business to play an excerpt from his talk. The whole thing is about an hour long and very entertaining... so obviously you should book him for your next exotically-located conference and or event. Big thanks to Bennett for allowing us to play this chunk of his talk.

In this interview we're chatting with Wade Alcorn. By day he's NGS Security's general manager for Asia Pacific, but by night he's out there maintaining BeEF -- the browser exploitation framework.

If you haven't heard of beef it's a very cool tool. If you can get someone to load it into your browser, either by them visiting a site you control directly, or alternatively through some sort of cross site scripting bug, then you can get the browser to do all sorts of stuff for you -- like portscan the victim's LAN, attack JBOss servers and stuff like that.

I caught up with Wade and asked him to tell us all about BeEF and what's the latest. With beef. Here's the beef.

This week's show was cut together from Johannesburg, South Africa!

In it we discuss Google's latest bug bounty initiative -- they're not just offering cash for bugs in software products, these days they're also offering cash for bugs in their online properties. Got an auth bypass for Gmail? Ka-ching!

This week's show is brought to you by Astaro. Jack Daniel of Astaro joins us to talk about restricting certain content types from SOEs. Do we really need Flash in our operating environments anymore? Can we just drop it and gain some security?

Adam Boileau drops in, as always, to discuss the week's news headlines.