Podcasts

This week's show is a shorter one than usual -- we've just got the news segment with Adam and a sponsor interview.

This week's show is sponsored by our benevolent overlords at Adobe! Big thanks to them. And we've got a fascinating chat in this week's show with Adobe's Steve Gotwalls about auto updaters.

How have they been architected? What do the update mechanisms look like? Are the update packages served via https or http? Can you cache them at your border? Should enterprise networks swallow updates without doing independent QA?

This is a surprisingly interesting topic, when we think about how much patch management has changed over the years.

This week's feature interview is with Wayne Ronaldson. Wayne's a security consultant with a company here called CQR, but he's cobbled together a fascinating little side project called Exploitable Labs.

In essence, Exploitable Labs is an online capture the flag environment. Participants connect to it, then go about finding various types of vulnerabilities -- in Web applications, servers and network devices. At the end of the exercise, the system spits out a report that can tell the participant where they're hot and where they're not.

Wayne designed the service to be used by people who hire penetration testers -- it's not a certification like CREST, it's an evaluation. It's an interesting idea!

Adam Boileau, as always, joins the show for a chat about the news headlines.

On this week's show we're taking a look at the new release of the data mining and network footprinting tool Maltego. it's called Radium and the focus is very much on automation.

One click network footprinting for the win! Maltego creator Roelof Temmingh will be along in this week's feature interview to walk us through the new features. There's some interesting stuff in that interview about network information leaks. All your internal IP ranges R belong to Roelof!

This week's show is brought to you by HackLabs.

In this week's sponsor interview we chat with HackLabs head honcho Chris Gatford about the insider threat.

What can you do to minimise your chances of getting hosed by a disgruntled former staffer? That's an interesting segment that touches on account and access management, DLP and ghost account audits.

Speaking of sponsorship, we've got some sponsor vacancies opening up from next week and intro next year. So if you fancy sponsoring Risky Business, let me know.

Risky.Biz gets around 25,000 unique visitors a month from all over the globe, with around 16,000-20,000 episodes downloaded each month!

And you know what? It's a high quality audience. If you'd like to see some listener testimonials from enterprise security folks or talk about sponsorship, get in touch with me: patrick [at] risky.biz.

On this week's show we're talking to Rapid7's HD Moore about recent attacks against the Saudi Aramco oil company that saw 30,000 of 40,000 machines rendered inoperable for around 10 days.

It's the single most destructive attack I've ever heard of.

This week's show is brought to you by Insomnia Security. You might know this week's sponsor guest -- it's out news buddy Adam Boileau, aka Metlstorm.

Adam works for Insomnia! So it's the MOAR METL edition this week! He'll be along a bit later to talk about new trends in security assessments; new ways of doing things that can gauge how effective organisations are at detecting what he calls the "lateral movement" of attackers through networks. As you'd expect, it's very interesting stuff and it's coming up after this week's feature interview.

In this week's feature interview we're getting an update on some research we looked at last year. Loukas of Assurance.com.au in Melbourne had been playing around with some "evil maid" EFI hacks on Macs, but he's done some more work on them and presented his findings at BlackHat in July.

He joins the show to discuss his latest EFI work. See this week's show notes for links to his slide deck and paper, as well as links to this week's news.

This week's show is brought to you by Adobe!

Adobe's head of product security Brad Arkin joins us to give us some development tips for smaller coding teams. He also discusses his involvement with the RSA conference -- he'll be helping to select some talks.

On this week's show we chat with Recurity Labs' Felix "FX" Lindner and Greg Kopf in the feature segment.

These guys recently shredded some Huawei equipment. They owned it hard and turned it into a DEFCON talk [pdf]. They'll be along a bit later on to tell us why hacking away at Huawei kit made them feel nostalgic.

This week's show is brought to you by the fine folks at Australian pentesting firm HackLabs, so I hope you'll keep them in mind next time you're firing off those RFPs!

HackLabs founder and main man Chris Gatford joins us in this week's sponsor slot to discuss the extremely clever social engineering attack against accounts belonging to technology journalist Mat Honan. he got owned pretty hard. No clientsides, no exploits, no bruteforcing. Just a few phone calls.

On this week's show we chat with Microsoft's Katie Moussouris about the company's BlueHat prize. How successful was the prize, and did it get Microsoft value for money in terms of quality entries?

Katie took some time out from her maternity leave to join the show.

This week's show is brought to you by Tenable Network Security.

In this week's sponsor interview with Tenable founder and CEO Ron Gula we get a bit philosophical. Has it become culturally acceptable in the business world to get owned?

If LinkedIn and Sony can have such a bad time, are major incidents therefore seen as routine?

Follow Patrick Gray on Twitter.

I've been busy preparing my debate speech for tomorrow's Splendour in the Grass music festival, so this week's show is a shorter one than usual; there's no feature interview.

But we've got a fascinating sponsor interview with SensePost's Glenn Wilkinson coming up. He's a lead security analyst with SensePost in its London office. He and his colleague Daniel Cuthbert are doing a talk and tool release at 44con in September called Terrorism, Tracking, Privacy and Human Interactions.

They set about writing some really creepy Big Brother-style tools for doing massive surveillance by dropping a few wireless access points around London. And you know what? As it turns out it's really easy to be really creepy!

On this week's show the NSA's former Technical Director of Information Assurance, Brian Snow, joins the program to warn us that recent advancements in quantum computing could invalidate all of our cryptographic systems within 15 years.

So we'd better get cracking on finding alternatives!

This week's show is brought to you by the security team at Adobe! Big thanks to them. And Adobe's head of security and privacy Brad Arkin will be along later in the show to discuss Adobe's planned deprecation of Flash on mobile devices. As of September 2013 the whole lot goes dark permanently, so how DO you manage that sort of support withdrawal?

That's this week's sponsor interview.

On this week's edition of the show we catch up with Mark Dowd of Azimuth security for a bit of a chat about Apple's upcoming iOS 6 operating system and its security features. We also wind up chatting about Apple's approach to OS security in general and the whole signed code appstore thing, it's fun stuff!

This week's show is brought to you by Tenable Network Security -- the most long term and loyal supporter of this podcast.

Tenable founder and CEO Ron Gula joins us later on in the show to chat about the media hype surrounding DNSChanger and Flame, as well as talking about some really, really rudimentary approaches to picking up stuff your AV may have missed. That's this week's sponsor interview.

In this week's news segment, Insomnia Security's Adam Boileau joins the program to discuss the following stories:

Govt defends need to snoop on online and phone records | Information, Gadgets, Mobile Phones News & Reviews | News.com.au
http://www.news.com.au/technology/govt-defends-need-to-keep-internet-dat...

1.3M Cellphone Snooping Requests Yearly? It's Time for Privacy and Transparency Laws | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/mobile-data-transparency/

AusCERT loses passwords to Govt service - Web/client - SC Magazine Australia - Secure Business Intelligence
http://www.scmagazine.com.au/News/307954,auscert-loses-passwords-to-govt...

Gone in 3 Minutes: Keyless BMWs a Boon to Hacker Thieves | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/keyless-bmw-gone/

Android forum site hacked; data swiped on 1 million users | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57471297-83/android-forum-site-hacked-d...

Top domains and passwords compromised by Yahoo breach | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57471299-83/top-domains-and-passwords-c...

Formspring disables user passwords in security breach | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57469944-83/formspring-disables-user-pa...

Apple Receives NFC Patent, But Takes It Slow with Mobile Payments | threatpost
http://threatpost.com/en_us/blogs/apple-receives-nfc-patent-taking-it-sl...

Anonymous Group Says It Gave Syrian E-mails to WikiLeaks | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/anonymous-syrian-emails/

WikiLeaks Wins Icelandic Court Battle Against Visa for Blocking Donations | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/wikileaks-visa-blockade/

Instagram Patches "Friendship Vulnerability" Privacy Hole | threatpost
http://threatpost.com/en_us/blogs/instagram-patches-friendship-vulnerabi...

Google Adds Full Flash Sandbox to Chrome 21 | threatpost
http://threatpost.com/en_us/blogs/google-adds-full-flash-sandbox-chrome-...

Google Patches Three High-Priority Flaws in Chrome 20 | threatpost
http://threatpost.com/en_us/blogs/google-patches-three-high-priority-fla...

Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost
http://threatpost.com/en_us/blogs/microsoft-revokes-trust-28-its-own-cer...

NSA Chief Says Today's Cyber Attacks Amount to 'Greatest Transfer of Wealth in History' | threatpost
http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-am...

Deep Packet Inspection Firm Cyberoam Issues Fix Following Private Key Leak | threatpost
http://threatpost.com/en_us/blogs/deep-packet-inspection-firm-cyberoam-i...

Hackers can break into your Cisco TelePresence sessions | ZDNet
http://www.zdnet.com/hackers-can-break-into-your-cisco-telepresence-sess...

Data-breach laws are coming: OAIC assistant | ZDNet
http://www.zdnet.com/data-breach-laws-are-coming-oaic-assistant-7000000761/

Stratfor Class Action Settlement Email
http://cryptome.org/2012/07/sterling-stratfor-email.htm