Podcasts

We're kicking off our AusCERT 2013 coverage today with the conference's opening keynote by Michael Jones, Google's chief technology advocate. He's charged with advancing technology to organise the world's information and make it universally accessible and useful.

Michael has worked as chief technologist of Google Maps, Earth, was the CTO of Keyhole Corporation, the company that developed the technology behind Google Earth and was also CEO of Intrinsic Graphics, and was director of advanced graphics at Silicon Graphics.

His presentation was called Security's Biggest Risk, and it basically boils down to the dumb stuff bringing us unstuck. It's a very high level talk that definitely has its moments, and I hope you enjoy it. Here he is.

The following is a recording of HD Moore's AusCERT plenary, all about the research he's done scanning the entire Internet. HD is one of the smartest guys in the business, and it's a great talk. But you might actually need to slow it down a bit, because I don't think I've ever encountered anyone in my life who can speak as fast as HD does. He sometimes speaks at a pace that is faster than my ability to comprehend what he's saying. But as I say, it's a great talk -- it's called Global Vulnerability Analysis.

In this sponsor interview we chat with Paul Ducklin of Sophos about trends in code signing technology designed to combat malware.

During the great "SSL wars" of 2011, when hackers like Comodohacker went cyber-berserk owning CAs and minting their own certificates for sites like Gmail and Facebook, valuable lessons were learned. It's becoming the norm for browsers to pin certs for well known websites... and now this same approach to certificate sanity checking is finding its way into code signing checks.

Microsoft's latest EMET, version 4.0 which I think is still in Beta, will pin certs for signed applications. It's a good idea -- it makes life a little tougher for the bad guys, but as you'll hear, it's not going to kick the can THAT far down the road, as Paul Ducklin explains.

The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has to consider when allowing staff to use their own devices in a heavily regulated environment.

In this sponsor interview with chat with Casey Ellis, the founder of BugCrowd.

When Casey co-founded the business the idea was simple -- the company would host outsourced bug bounty programs for clients that didn't have the expertise to run their own. As some of you may know, the idea really took off, but what no one expected was for BugCrowd's registered testers to do a better job than many penetration testing teams.

It's cheaper than a pentest, and in the case of Web application or mobile application security testing, these bug bounty programs are turning up more actionable issues than penetration testing teams.

Could these types of programs be disruptive to the penetration testing services industry? Casey joined me to discuss.

This week's feature interview is with Dave Jorm, a Brisbane-based security geek and environmental science aficionado who's done some really interesting OSINT analysis of agricultural efficiency in North Korea with publicly available satellite data.

He's presenting his findings at AusCERT's annual conference on the Gold Coast next week; he joins the podcast to talk about his work and the online community of North Korea watchers.

Ok, so it's not exactly about infosec, but it's really interesting stuff and I hope you all enjoy it!

This week's show is brought to you by the fine folks at HackLabs, the Australian pentesting firm. If you need your pens tested, get in touch with the team at HackLabs.com.

This week's sponsor interview is with HackLabs head honcho Chris Gatford. We chat to him about a tale of two banks -- one big Middle Eastern bank and one small Australian bank. They're two organisations with very different approaches to security and very different security postures, but both eventually failed penetration tests by making the same simple mistakes.

This week's show was being produced on the road so it's a bit of a different format -- I did a longer than usual news panel session from the conference floor!

Our news discussion panel consists of:

The Grugq
Dominic White, SensePost
Charl van der Walt, SensePost
Andrew MacPherson, Paterva (Maltego)

After that we've got this week's sponsor interview with Peleus Uhley of Adobe.

Adobe is this week's sponsor, big thanks to them, and Peleus joins the show to talk about throwing a spanner in the works of mass malware customisation. We look at some of the approaches large vendors are using these days to disrupt the development lifecycle of the bad guys. It's interesting stuff and it's after the news.

This week's edition of the show is pre-recorded because I'm off surfing in Jeffreys Bay, South Africa. There will be no show next week, but the week after that I'll be bringing you an episode from the ITWeb Security Summit in Johannesburg where I'm speaking.

In this week's show we've got a great interview with Wade Baker, the managing principal of Verizon's RISK team, and the topic, of course, is this year's Verizon Data Breach Investigations Report.

We've also got a sponsor interview with Marcus Ranum of Tenable Network Security. Tenable is this week's sponsor, so you can thank them for making this week's show possible. Do check out Tenable.com for all your vulnerability scanning and SIEM needs!

We chat with Marcus about what he calls economic spoiler attacks -- these are the disruptive, state-sponsored attacks we've seen against Saudi Aramco and South Korea.

If you'd like to download this week's track, you can grab it for free from the TripleJ Unearthed website here.

This week's show is jam packed. We'll be hearing from our favourite firmware hacker, sneaky Snare, all about the leak of AMI's UEFI implementation source code and firmware signing key. What will it mean for firmware research?

We'll also be chatting with Nick Ellsmore. Nick founded a company here in Australia called SIFT, which eventually merged with Stratsec, which was then bought by BAE. These days, apart from being ridiculously wealthy, Nick has put together Delling Advisory, a consultancy focussing on mergers and acquisitions in information security.

And he's been writing some very interesting blog posts about the Australian information security market. He might be focussing on things downunder, but I'm pretty sure what we're talking about today applies everywhere -- penetration testing revenue estimates just don't add up. Nick believes a lot of mandated pentesting work in Australia is actually being done by IT systems integrators that don't actually have appropriate skills, or isn't being done at all.

This week's show is brought to you by Senetas, an absolutely awesome company that makes layer two crypto gear. You should go to Senetas.com and buy all their things. In this week's sponsor interview we're chatting with Senetas CTO Julian Fay about a proposed extension to BitCoin called Zerocoin. The extension is designed to make Bitcoin anonymous.

As always, Adam Boileau joins us for the week's news headlines. Show notes are here.

This week's feature interview is with Mark Dowd of Azimuth Security. Mark joins the show to fill us in on the latest trends in vulnerability research and exploit development. We recap CanSecWest's Pwn2Own competition and look at what 2013 has in store research-wise.

Risky.Biz is pleased to welcome a new sponsor to the lineup -- Solera Networks, makers of fine, big data security software.

These guys make packet capture-based security kit that I'm told is pretty impressive. And we've got an interesting chat in this week's sponsor interview with Solera's chief technology officer Joe Levy. We chat to him about some of the basics of big data security, as well as looking at how point solution providers are increasingly integrating their kit with established SIEM gear and log management consoles.

Insomnia Security's Adam Boileau joins us for a discussion of the week's news.

Show notes here.