Podcasts

In this week's podcast we're chatting with Jonathan Cran of Pwnie Express.

Pwnie Express makes dropboxes that were designed to be used by pentesters. Funnily enough people have actually found all sorts of non-illicit uses for them.

In this week's sponsor interview we chat with HackLabs' penetration tester Jody Melbourne to ask if there's a future for hacktivists after SQLi bugs are a thing of the past.

In this week's news segment with Adam Boileau we discuss the following items:

'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on
Monday | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/dns-changer-going-dark/

Report: Wireless Hacking Suspected In Air Raid Siren Miscues |
threatpost
http://threatpost.com/en_us/blogs/report-wireless-hacking-suspected-air-raid-siren-miscues-070512

Cisco Pulls Back on Routers' 'Supplemental Privacy Policy' |
threatpost
http://threatpost.com/en_us/blogs/cisco-pulls-back-routers-supplemental-privacy-policy-070312

There is No Reason to Take a Picture of Your Debit Card ...Ever |
threatpost
http://threatpost.com/en_us/blogs/there-no-reason-take-picture-your-debit-card-ever-070312

New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace
Industry | threatpost
http://threatpost.com/en_us/blogs/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312

Mac OS X, Windows Backdoors Used in New APT Attacks | threatposthttp://threatpost.com/en_us/blogs/mac-os-x-windows-backdoors-used-new-apt-attacks-062912

Microsoft Names Two Alleged Zeus Botnet Operators | threatpost
http://threatpost.com/en_us/blogs/microsoft-names-two-alleged-zeus-botnet-operators-070312

Appeals Court Calls Bank's Security "Commercially Unreasonable" |
threatpost
http://threatpost.com/en_us/blogs/appeals-court-calls-bank-s-security-commercially-unreasonable-070512

Senator Seeks to Strengthen SEC-Required Cybercrime Reporting | threatpost
http://threatpost.com/en_us/blogs/senator-seeks-strengthen-sec-required-cybercrime-reporting-070212

Adobe: No Flash Player For Future Android Versions | threatpost
http://threatpost.com/en_us/blogs/adobe-no-flash-player-future-android-versions-062912

Iran state TV: The BBC hacked us | ZDNet
http://www.zdnet.com/iran-state-tv-the-bbc-hacked-us-7000000334/

WikiLeaks starts publishing millions of 'Syria Files' emails | ZDNet
http://www.zdnet.com/wikileaks-starts-publishing-millions-of-syria-files-emails-7000000316/

Want cheaper insurance? Brush up on your IT security | ZDNet
http://www.zdnet.com/want-cheaper-insurance-brush-up-on-your-it-security-7000000251/

NBN Co: Huawei FOI could harm national security | ZDNet
http://www.zdnet.com/nbn-co-huawei-foi-could-harm-national-security-7000000106/

There's a lot of really interesting news this week. Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's (DERPA? Lol.) attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more!

In this week's feature interview we chat with Matthew D Greene, Assistant Research Professor at Johns Hopkins University's Information Security Institute. We're talking to him about some recently unveiled attacks against hardware tokens that enable attackers to extract key material that's supposed to be protected. Oops!

Matthew blogged about it here, and the paper we discuss is here [pdf].

This week's show is brought to you by our good friends at SensePost! Sensepost founder and director Charl Van Der Walt will be along in this week's sponsor interview to discuss what he's learned from teaching BlackHat courses for 10 years.

In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more!

Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau.

Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff.

That's this week's sponsor interview.

There's no feature interview this week and possibly no podcast next week. Family stuff.

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out.

This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world.

Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.

On this week's show we'll be chatting with Forbes' London bureau chief Parmy Olson.

Parmy did a great job of covering the whole LulzSec fiasco last year for Forbes, but she's gone one better and written a book about the whole thing. It's called We Are Anonymous: Inside the hacker world of LulzSec and you know what? It's pretty good!

Actually, it's really, really good. I'm about a third of the way through a review copy. Parmy will joins us to talk about what it was like to stitch a story like this together.

This week's show is brought to you by those fine folk at HackLabs, a Sydney-based penetration testing firm. Its founder and big cheese Chris Gatford will be along in this week's sponsor interview to chat about two factor via cellphones.

There was a really interesting attack against 4chan through its hosting provider ClousdFlare this week that involved some telephone trickery. Do people place too much trust on out of band second factors? Find out in this week's sponsor interview!

Adam Boileau, as always, joins us to talk about ABSOLUTELY EVERYONE GETTING OWNED! Between LinkedIn, eHarmony and Last.fm getting popped, the US as good as claiming credit for Stuxnet, Flame man in the middling Windows Update and all sorts of other crazy stuff, well, it's been a hell of a week for news!

On this week's show we're taking a look at some research out of Cambridge University that's drawn a lot of attention. It involves a claim that researchers found a hardware back door on a Chinese-made FPGA (Field Programmable Gate Array).

That FPGA is apparently used in military hardware. You can find links to the draft paper and a write-up here.

So was this "back door" put there by super-secret Chinese cyber-warriors? Or is it something much less interesting like an undocumented debugging interface?

Peter Gutmann is this week's feature guest and he'll be telling us all about it.

This week's show is sponsored by SensePost.

SensePost is a South African security consultancy that also has a presence in Europe. They are some seriously, seriously smart people and we're thrilled to have them as a sponsor.

In this week's sponsor interview we're taking a look at some research the company has done into cloning RSA soft tokens. We all know that soft tokens are theoretically weak, but SensePost's Behrang Fouladi set his mind to actually reversing them and seeing just how easy it is. As it turns out, very.

Adam Boileau, as always, stops by to discuss the week's news.

If people are wondering why on Earth Wikileaks' chief Julian Assange is apparently being pursued by the US Department of Justice, a new book by Forbes' London Bureau chief Parmy Olson might help to clear things up for you.

Assange likes to proclaim that the DoJ investigation is a case of the big bad gummint being out to persecute him for being a truth-teller, but if Olson's book (Amazon) is to be believed it looks like he's been a very naughty boy.

This excerpt [pdf] from the book, published by the pre-Wikileaks leak site Cryptome, describes verified IRC contact between LulzSec ringleader turned FBI snitch Sabu and Assange in which the latter apparently urged the digital outlaws to attack specific targets in Iceland.

Bad activist! No biscuit!

All this under the watchful eye of the FBI's inside man.

This is speculation, but if any of Wikileaks staff were "directing" LulzSec's illegal activities, particularly the exfiltration of stolen information from any of the group's victims -- like Stratfor, for example -- it's my guess the entire organisation is legally fux0red. IANAL, but read the excerpt and tell me if you arrive at the same hunch as me.

Encouraging an FBI snitch to attack systems in Iceland on your behalf when the heat is already on is remarkably daft.

I'll be interviewing Parmy about her book next week.

This week's feature audio is an excerpt from an AusCERT presentation I recorded last week. The talk, by Brad Barker of the HALO Corporation, discusses the Zeta drug cartel's use of technology and social media. HALO Corporation does everything from intelligence support to kidnap and ransom consulting. Barker has an interesting analysis of how civilian technology is altering methods of operation and the wider battlefield. It's good stuff.

Adobe's director of product security Brad Arkin will be along for this week's sponsor interview to talk about Apple's decision to block vulnerable versions of Flash Player in OS X. Brad also discusses Adobe's controversial -- and subsequently reversed decision -- to NOT patch its CS5 suite of products against a code execution bug.

Adam Boileau, as always, drops by to discuss the week's news headlines.

The following is the closing session from AusCERT's 2012 conference, the speed debate.

It's a chance to have a bit of a laugh at all things security and it's hosted by ABC personality Adam Spencer. Enjoy!

At AusCERT last week I caught up with Phil Piotrowski, a threat researcher with Sophos, as well as Rob Forsyth, a director of Sophos here in Australia.

Really what this chat is all about is interface. We cover a few topics; how users are finding it increasingly difficult to determine when a warning dialogue or popup is genuine or fake, how online crime syndicated are investing a great deal more effort into pretty graphics and good copywriting, and then we chat about how mobile operating systems like Android have succeeded by making extraordinarily complicated things appear very very simple, and what the security implications of that are.