Podcasts

This week's feature interview is with nmap creator Gordon Lyon, who's probably better known by his handle: Fyodor.

Last week we brought you the news that the Full Disclosure mailing list was shuttered following legal threats from someone describing themselves as a security researcher. Fyodor runs the seclists.org mailing list archive and he's decided to bring FD back from the dead. I got him on the line and asked him why.

This week's show is brought to you by Bridgepoint -- a Queensland-based company that does all sorts of stuff -- systems integration, pen testing and PCI. With the G20 coming up we chat with the company's principal security consultant Michael Trott about the preparations underway. When the world shines its spotlight on Brisbane in November boy oh boy, everyone with a gripe is going to be trying to deface pretty much every website with the word "Queensland" on it. That's coming up soon.

Adam Boileau, as always, joins us to discuss the week's security news headlines.

Show notes are here.

On this week's show we're taking a look at some absolutely awesome research by Azimuth Security's Tarjei Mandt on the pseudo random number generators used by iOS 6 and 7. Tarjei has figured out a way to blow away iOS's memory mitigations with some very cool tricks.

This week's show is sponsored by Tenable Network Security, and this week we're joined by Carlos Perez, Tenable's Director of Reverse Engineering in the sponsor slot. He heard last week's interview all about using PowerShell as a post exploitation tool, and as it turns out, he's one of the leading experts out there on using PowerShell to do sneaky stuff. So he'll be along to pretty much pick up where we left off last week. More PowerShell! That's this week's sponsor interview.

Adam Boileau, as usual, joins us for the week's news headlines.

Show notes are here.

On this week's show we have a look at PowerShell, the Microsoft sorta scripting language admin thingy. As it turns out, PowerShell can be an attacker's best friend when it comes to lateral movement through a network. We'll chat with Kieran Jacobson about that in this week's feature interview. He did a cracker presentation at CrikeyCon where he demo'd owning a domain controller and dumping all its creds with something like five lines of PowerShell. I mean, there are caveats there, but wow... the demotime was food for thought.

This week's show is sponsored by HackLabs. HackLabs head honcho Chris Gatford joins the program in this week's sponsor interview to have a yarn about the upcoming great XP switch of 2014. Ditching XP in your environment shouldn't be a supreme challenge, but what about specialist devices? Like the heart monitor that you can't patch but needs to be networked so you can know Mr. Jones in 14F is about to have a heart attack? Yeah, that'd be one of those intractable problems. Yay.

It's a solid week for BitCoin news. The (maybe) outing of the elusive Satoshi Nakamoto, the MtGox mystery, dead exchanges and even, unfortunately, a suicide of a former BitCoin exchange CEO in Singapore.

But there's been plenty of other news! Apple's gotofail bug, GnuTLS issues, more NTP amplification attacks, and of course YahooWebcamGate. You can find links to the news items discussed in this week's show here.

There's also a stack of interviews in this week's podcast, including a bunch recorded in San Francisco last week. The run sheet looks like this:

\t- The Grugq discussing the news headlines of the last two weeks
\t- Marcus Ranum on the RSA trade floor discourse
\t- RSA CEO Art Coviello on the NSA controversy
\t- ACLU principal technologist Chris Soghoian
\t- RSA Chief Architect Robert Griffin
\t- Jack Daniel of Tenable Network Security (sponsor interview) on the "Threat Intelligence" buzzword craze

This week we chat with a local consultant, Mark Brand of Datacom TSS, about the general topic of authentication. We've seen some interesting cases of things going wrong with auth on consumer sources lately. The @n Twitter username hijacking, the Matt Honan disaster of 2012.

Now Google's run off and bought SlickLogin, a novel approach to mobile app auth. Will that get us anywhere? And what about NameCoin -- a BitCoin protocol-derived peer-to-peer authentication scheme? I'd never heard of it, but the concept is fascinating. Mark pops by to fill us in.

This week's show is brought to you by Senetas. In this week's sponsor interview we're chatting with Senetas CTO Julian Fay about some work they've been doing on their Ethernet products. As it turns out, variable frame sizes can give up too much info to an attacker, so they've worked on some neat new tech that basically forces their stuff to send fixed length frames and make sure everything stays random.

Adam Boileau pops by as usual to chat about the week's security news. Show notes, including links, are here.

On this week's show we're chatting with COSEINC's Thomas Lim about the Wassenaar Arrangement. It's basically a worldwide framework that restricts the sale of munitions and dual use technologies, and it has exploits in its sites.

COSEINC is a security research company that engages in exploit development, and Lim thinks extending regulations to exploit sales is pointless.

This week's show is brought to you by BugCrowd, a company that was founded in Australia but is now based in San Francisco thanks to VC investment.

Bugcrowd runs outsourced bug bounties, and its founder and CEO Casey Ellis joins the show in this week's sponsor interview to talk about the latest goings on in the burgeoning bug bounty industry!

We're back after a nice long rest, and boy oh boy did a lot of stuff happen during the break. Adam Boileau joins the show to discuss the choicest selection of news items to emerge over the last six weeks.

In this week's feature slot we chat to OJ Reeves about his work in upgrading Meterpreter, the Metasploit payload. There are some cool new features on the way, he'll clue us in on those.

This week's show is brought to you by Tenable Network Security.

Tenable's very own Marcus Ranum will be joining us to have a chat about security metrics in this week's sponsor interview, stick around for that.

Show notes for this week's episode are here.

Patrick Gray on Twitter.
Adam Boileau on Twitter.

This is the final Risky Business podcast for 2013. The show will resume its weekly schedule in February 2014.

Oh, and there are still three sponsor slots left between now and July. If you're interested, drop us a line with the contact form...

This week's show looks back over the key events and trends of 2013; how media focus shifted from focussing on China's cyber-espionage to the scandalous revelations of the Snowden leaks.

We also take a quick look at the Silk Road bust, say goodbye to some friends and check in with Insomnia Security's Brett Moore in this week's sponsor interview.

On this week's show we speak to Bromium co-founder and CTO Simon Crosby all about its tech. We don't normally interview vendors about their technology in the feature slots, but Bromium is very interesting stuff. It's all about hardware-enabled task isolation with Xen-based micro VMs. The way they've implemented this makes it quite difficult for an attacker to gain persistence on a target machine. Simon is a very technical guy, it's a great interview and it's after the news.

This week's show is brought to you by Tenable Network Security, makers of fine, fine, vulnerability scanning tools like Nessus. And in this week's sponsor interview we chat with Tenable's chief architect for the Asia Pacific region Dick Bussiere. Dick is based in Singapore, and surprisingly enough the infosec agenda there isn't being set by the Snowden leaks. So what's driving the infosec narrative in .sg? Dick joins the show with his view.

In this week's show we speak with TrustedSec CEO Dave Kennedy about his testimony to the US congress about the Obama administration's healthcare.gov website. It cost over $600m and it's riddled with infosec 101 bugs. We find out just how bad it is and what can be done about it.

This week's show is brought to you by Senetas, makers of fine, fine layer 2 encryption software. In this week's sponsor interview we speak with Senetas CTO and co-founder Julian Fay about the sudden popularity of the layer 2 crypto gear they've been selling for something like 15 years. Have the Snowden revelations actually changed things for encryption companies? Julian says yes, big time, in a tangible way.

Adam Boileau, as always, joins us for a discussion of the week's security news headlines. Links to the news items discussed, plus some other stuff, can be found here.