Podcasts

In this week's feature interview we're getting an update on some research we looked at last year. Loukas of Assurance.com.au in Melbourne had been playing around with some "evil maid" EFI hacks on Macs, but he's done some more work on them and presented his findings at BlackHat in July.

He joins the show to discuss his latest EFI work. See this week's show notes for links to his slide deck and paper, as well as links to this week's news.

This week's show is brought to you by Adobe!

Adobe's head of product security Brad Arkin joins us to give us some development tips for smaller coding teams. He also discusses his involvement with the RSA conference -- he'll be helping to select some talks.

On this week's show we chat with Recurity Labs' Felix "FX" Lindner and Greg Kopf in the feature segment.

These guys recently shredded some Huawei equipment. They owned it hard and turned it into a DEFCON talk [pdf]. They'll be along a bit later on to tell us why hacking away at Huawei kit made them feel nostalgic.

This week's show is brought to you by the fine folks at Australian pentesting firm HackLabs, so I hope you'll keep them in mind next time you're firing off those RFPs!

HackLabs founder and main man Chris Gatford joins us in this week's sponsor slot to discuss the extremely clever social engineering attack against accounts belonging to technology journalist Mat Honan. he got owned pretty hard. No clientsides, no exploits, no bruteforcing. Just a few phone calls.

On this week's show we chat with Microsoft's Katie Moussouris about the company's BlueHat prize. How successful was the prize, and did it get Microsoft value for money in terms of quality entries?

Katie took some time out from her maternity leave to join the show.

This week's show is brought to you by Tenable Network Security.

In this week's sponsor interview with Tenable founder and CEO Ron Gula we get a bit philosophical. Has it become culturally acceptable in the business world to get owned?

If LinkedIn and Sony can have such a bad time, are major incidents therefore seen as routine?

Follow Patrick Gray on Twitter.

I've been busy preparing my debate speech for tomorrow's Splendour in the Grass music festival, so this week's show is a shorter one than usual; there's no feature interview.

But we've got a fascinating sponsor interview with SensePost's Glenn Wilkinson coming up. He's a lead security analyst with SensePost in its London office. He and his colleague Daniel Cuthbert are doing a talk and tool release at 44con in September called Terrorism, Tracking, Privacy and Human Interactions.

They set about writing some really creepy Big Brother-style tools for doing massive surveillance by dropping a few wireless access points around London. And you know what? As it turns out it's really easy to be really creepy!

On this week's show the NSA's former Technical Director of Information Assurance, Brian Snow, joins the program to warn us that recent advancements in quantum computing could invalidate all of our cryptographic systems within 15 years.

So we'd better get cracking on finding alternatives!

This week's show is brought to you by the security team at Adobe! Big thanks to them. And Adobe's head of security and privacy Brad Arkin will be along later in the show to discuss Adobe's planned deprecation of Flash on mobile devices. As of September 2013 the whole lot goes dark permanently, so how DO you manage that sort of support withdrawal?

That's this week's sponsor interview.

On this week's edition of the show we catch up with Mark Dowd of Azimuth security for a bit of a chat about Apple's upcoming iOS 6 operating system and its security features. We also wind up chatting about Apple's approach to OS security in general and the whole signed code appstore thing, it's fun stuff!

This week's show is brought to you by Tenable Network Security -- the most long term and loyal supporter of this podcast.

Tenable founder and CEO Ron Gula joins us later on in the show to chat about the media hype surrounding DNSChanger and Flame, as well as talking about some really, really rudimentary approaches to picking up stuff your AV may have missed. That's this week's sponsor interview.

In this week's news segment, Insomnia Security's Adam Boileau joins the program to discuss the following stories:

Govt defends need to snoop on online and phone records | Information, Gadgets, Mobile Phones News & Reviews | News.com.au
http://www.news.com.au/technology/govt-defends-need-to-keep-internet-dat...

1.3M Cellphone Snooping Requests Yearly? It's Time for Privacy and Transparency Laws | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/mobile-data-transparency/

AusCERT loses passwords to Govt service - Web/client - SC Magazine Australia - Secure Business Intelligence
http://www.scmagazine.com.au/News/307954,auscert-loses-passwords-to-govt...

Gone in 3 Minutes: Keyless BMWs a Boon to Hacker Thieves | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/keyless-bmw-gone/

Android forum site hacked; data swiped on 1 million users | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57471297-83/android-forum-site-hacked-d...

Top domains and passwords compromised by Yahoo breach | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57471299-83/top-domains-and-passwords-c...

Formspring disables user passwords in security breach | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57469944-83/formspring-disables-user-pa...

Apple Receives NFC Patent, But Takes It Slow with Mobile Payments | threatpost
http://threatpost.com/en_us/blogs/apple-receives-nfc-patent-taking-it-sl...

Anonymous Group Says It Gave Syrian E-mails to WikiLeaks | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/anonymous-syrian-emails/

WikiLeaks Wins Icelandic Court Battle Against Visa for Blocking Donations | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/wikileaks-visa-blockade/

Instagram Patches "Friendship Vulnerability" Privacy Hole | threatpost
http://threatpost.com/en_us/blogs/instagram-patches-friendship-vulnerabi...

Google Adds Full Flash Sandbox to Chrome 21 | threatpost
http://threatpost.com/en_us/blogs/google-adds-full-flash-sandbox-chrome-...

Google Patches Three High-Priority Flaws in Chrome 20 | threatpost
http://threatpost.com/en_us/blogs/google-patches-three-high-priority-fla...

Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost
http://threatpost.com/en_us/blogs/microsoft-revokes-trust-28-its-own-cer...

NSA Chief Says Today's Cyber Attacks Amount to 'Greatest Transfer of Wealth in History' | threatpost
http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-am...

Deep Packet Inspection Firm Cyberoam Issues Fix Following Private Key Leak | threatpost
http://threatpost.com/en_us/blogs/deep-packet-inspection-firm-cyberoam-i...

Hackers can break into your Cisco TelePresence sessions | ZDNet
http://www.zdnet.com/hackers-can-break-into-your-cisco-telepresence-sess...

Data-breach laws are coming: OAIC assistant | ZDNet
http://www.zdnet.com/data-breach-laws-are-coming-oaic-assistant-7000000761/

Stratfor Class Action Settlement Email
http://cryptome.org/2012/07/sterling-stratfor-email.htm

In this week's podcast we're chatting with Jonathan Cran of Pwnie Express.

Pwnie Express makes dropboxes that were designed to be used by pentesters. Funnily enough people have actually found all sorts of non-illicit uses for them.

In this week's sponsor interview we chat with HackLabs' penetration tester Jody Melbourne to ask if there's a future for hacktivists after SQLi bugs are a thing of the past.

In this week's news segment with Adam Boileau we discuss the following items:

'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on
Monday | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/dns-changer-going-dark/

Report: Wireless Hacking Suspected In Air Raid Siren Miscues |
threatpost
http://threatpost.com/en_us/blogs/report-wireless-hacking-suspected-air-raid-siren-miscues-070512

Cisco Pulls Back on Routers' 'Supplemental Privacy Policy' |
threatpost
http://threatpost.com/en_us/blogs/cisco-pulls-back-routers-supplemental-privacy-policy-070312

There is No Reason to Take a Picture of Your Debit Card ...Ever |
threatpost
http://threatpost.com/en_us/blogs/there-no-reason-take-picture-your-debit-card-ever-070312

New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace
Industry | threatpost
http://threatpost.com/en_us/blogs/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312

Mac OS X, Windows Backdoors Used in New APT Attacks | threatposthttp://threatpost.com/en_us/blogs/mac-os-x-windows-backdoors-used-new-apt-attacks-062912

Microsoft Names Two Alleged Zeus Botnet Operators | threatpost
http://threatpost.com/en_us/blogs/microsoft-names-two-alleged-zeus-botnet-operators-070312

Appeals Court Calls Bank's Security "Commercially Unreasonable" |
threatpost
http://threatpost.com/en_us/blogs/appeals-court-calls-bank-s-security-commercially-unreasonable-070512

Senator Seeks to Strengthen SEC-Required Cybercrime Reporting | threatpost
http://threatpost.com/en_us/blogs/senator-seeks-strengthen-sec-required-cybercrime-reporting-070212

Adobe: No Flash Player For Future Android Versions | threatpost
http://threatpost.com/en_us/blogs/adobe-no-flash-player-future-android-versions-062912

Iran state TV: The BBC hacked us | ZDNet
http://www.zdnet.com/iran-state-tv-the-bbc-hacked-us-7000000334/

WikiLeaks starts publishing millions of 'Syria Files' emails | ZDNet
http://www.zdnet.com/wikileaks-starts-publishing-millions-of-syria-files-emails-7000000316/

Want cheaper insurance? Brush up on your IT security | ZDNet
http://www.zdnet.com/want-cheaper-insurance-brush-up-on-your-it-security-7000000251/

NBN Co: Huawei FOI could harm national security | ZDNet
http://www.zdnet.com/nbn-co-huawei-foi-could-harm-national-security-7000000106/

There's a lot of really interesting news this week. Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's (DERPA? Lol.) attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more!

In this week's feature interview we chat with Matthew D Greene, Assistant Research Professor at Johns Hopkins University's Information Security Institute. We're talking to him about some recently unveiled attacks against hardware tokens that enable attackers to extract key material that's supposed to be protected. Oops!

Matthew blogged about it here, and the paper we discuss is here [pdf].

This week's show is brought to you by our good friends at SensePost! Sensepost founder and director Charl Van Der Walt will be along in this week's sponsor interview to discuss what he's learned from teaching BlackHat courses for 10 years.

In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more!

Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau.

Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff.

That's this week's sponsor interview.

There's no feature interview this week and possibly no podcast next week. Family stuff.

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out.

This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world.

Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.