Podcasts

In this week's feature interview we're chatting with the Assistant Commissioner of the Australian Federal Police, Neil Gaughan.

He's the national manager of High Tech Crime Operations and he's joining us to discuss the ongoing national security review. As a part of that review the government is introducing laws that will force ISPs and other Carriage Service Providers (CSPs) to store information on Australian citizens for two years. It sounds scary, but as you'll hear the data covered by the proposed new law is actually pretty mundane stuff like DHCP and SIP logs.

We have a new Risky Business sponsor this week, an Australian company named Senetas. These guys make layer 2 crypto gear which I find very, very interesting. So in this week's sponsor interview I basically just had a yarn with Senetas co-founder and CTO Julian Fay about where that sort of gear is most useful. As you'll hear, Julian knows networks and he knows crypto.

Adam Boileau, as usual, joins us for the week's news headlines.

On this week's show we're chatting with renowned megabrain Peter Gutmann about a paper on side channel attacks against crypto keys in virtualised environments. It's really complicated stuff, but very, very interesting.

Peter didn't do this research or write the paper, but I always like getting his take on this stuff because... well... he's really smart and he doesn't overhype stuff. That's after the news.

This week's show is brought to you by a new sponsor! NCC Group! Yay!

These guys have been the acquisition monster over the last couple of years, picking up NGS Security, iSec Partners and Matasano, among others. They're a large infosec company these days with a lot of extremely clever people working for them.

Joining us in this week's sponsor interview is Wade Alcorn, the Australia country manager for NCC Group... he's also the founder of the BeEF project and a very smart guy. He's joining us to have a chat about some interesting developments in Japan where a bunch of people have been arrested and charged with criminal offences for writing grey-market and downright illegal mobile apps.

We've got a great feature interview in this week's show with a computer science undergrad in the US who worked on a paper dealing with GPS security. You'll find out how you can melt down power lines with GPS haxx! Fun for the whole family!

This week's show is sponsored by Tenable Network Security. We'll be having Tenable product manager Jack Daniel on the line to talk about the death of periodical vulnerbility scanning. Apparently continuous scanning is all the rage these days!

I've spent the entire week down with the manflu, as you will probably hear, so apologies if the energy levels are down a bit this week.

This podcast is an interview with Eric "Musclenerd" McDonald. Eric is a renowned iPhone jailbreaker and as such has a very detailed understanding of smartphone platforms.

His talk at Ruxcon Breakpoint was all about the security of baseband chipsets. If you follow this stuff you might know that the baseband chipsets in these smartphones -- which handle all the basic communications functions of the phones -- are actually quite sophisticated. And where there's sophistication, there are potential problems.

As you'll hear, there's research going into attacking baseband chipsets through two vectors -- directly through the cell network, if you control it, or if you can trick your targets handset into associating with your fake networks... or indeed through the OS. It's interesting stuff.

This podcast is an interview I did at the Breakpoint security conference with security researcher Travis Goodspeed. He's come up with a hardware device called FaceDancer that allows him to capture USB device firmware by emulating the devices. What can you do with that? Well, you can start messing with those devices, loading up custom firmware, and even use modified USB devices to attack hosts.

This week's show is brought to you by our benevolent overlords at Adobe! And this week's sponsor interview is a must listen. Adobe's director of product security and privacy Brad Arkin joins us to discuss the breach at Adobe HQ that lead to malicious binaries being signed as valid by their code signing boxes.

Yes, it's a sponsor interview but Brad does a great job at answering some tough questions about the known extent of the compromise. I found that conversation extremely interesting and I suspect you will too.

We also chat to him about some new security features in Flash Player and Reader.

Also this week we're chatting with Paul Ducklin of Sophos Australia. Duck is well known to most Risky Business listeners, he's a regular guest, and this week he's joining us to talk about a few items of interest -- Oracle's awful patching schedule, a Sony lawsuit getting tossed and some weak DKIM issues that affected Google.

Insomnia Security's Mark Piper joins us to discuss the week's news headlines. You can find links to all our news in this week's show notes.

This podcast is an interview I did with Accuvant's Joshua Drake, aka jduck. His Breakpoint presentation was on the topic of Android security.

As regular listeners of the Risky Business podcast would know, we're pretty much convinced Android was rushed to market -- it was insecure, immature, way too open and a big, glaring risk to its users. Combine that with the inherent problems with the Android ecosystem and you had a recipe for disaster.

For those unfamiliar with those ecosystem problems, Android is very difficult to patch. Android users must wait for Google to update the OS, then ship the updates to the manufacturers who customise them for their hardware, then in turn they have to pass them on to the carriers, who may or may not customise those OS builds for compatibility with their apps and then pass the updates out over the air. Long story short, most Android devices wind up remaining unpatched.

Well, things have changed. As Joshua outlined in his presentation, Google has built a lot of exploit mitigations into the mobile OS and they're starting to look pretty effective. Is it possible that Google has dodged what many saw as an inevitable bullet?

This podcast is an interview I did with Barnaby Jack, a security researcher with IOActive. Barnes is probably best known for his work on ATM security. He famously "jackpotted" an ATM live on stage at BlackHat in 2010, but if he were to do a live demo of his latest research he'd probably wind up in prison.

That's because he's been looking at implantable defibrillators and pacemakers. As it turns out they have wireless interfaces that allow you to connect to them. You can bypass their rudimentary authentication and start sending 830 volt zaps into your victim's heart which, obviously, isn't ideal.

Jack says these techniques could be used for targeted assassinations, or perhaps even more worryingly, a maliciously motivated person could actually create an auto-propagating worm designed to kill people!

All our coverage of the Breakpoint security conference was made possible by our sponsor PacketLoop.

PacketLoop is a new Australian business that applies big data analysis techniques to your packet captures... you can visualise your captures, drill down into them, and even spot successful 0day attacks against your organisation after the event -- that's a simple trick, that one, they just loop your packet captures through IPSs after the fact... when they get signature updates, they loop them through again. Hence the name, PacketLoop.

You can sign up to a Beta at PacketLoop.com, and I suggest you do. Think of this stuff as like NetWitness in the cloud.

I caught up with PacketLoop co-founder Michael Baker to discuss his presentation at the Ruxcon conference, which was all about Big Data security analytics. I started off by asking him roughly what he planned to talk about.

This week's show is being produced entirely on the ground at the Ruxcon Breakpoint security conference in my old home town of Melbourne Australia! And it's a shorter show than usual because I'm pretty busy down here producing a bunch of podcasts as a part of some joint coverage I'm doing for both Risky.Biz and The Register. If you want to check out some audio and blog posts from Breakpoint, head to http://risky.biz/breakpoint. They're not up yet, but you'll soon find some interviews with people like Barnaby Jack and Joshua Drake (jduck) there\u2026 or you can subscribe to the RB2 podcast feed at http://risky.biz/feeds if you want that content automagically.

In this week's sponsor interview we're chatting with Insomnia Security founder Brett Moore. Thanks to Insomnia security for all its support of this podcast. If you're a CSO in New Zealand and you've never had a pen test from these guys you're doing it wrong.

It's a company founded by Brett Moore and staffed by the likes of our regular news co-host Adam Boileau and his sometime fill in Mark Piper, as well as a few other guys. Brett joins us to recap Breakpoint and tell us what he thinks of the epic MSDfail in NZ. Why do organisations commission expert advice if they're just going to ignore it?