Podcasts

In this week's feature interview we're chatting with Google's Ben Hawkes about the risks posed to browsers by new developments in the way they handle graphics. WebGL and Flash Stage3G allow Websites easy access to graphics cards but introduces a bunch of potential security issues. What if there's a bug in your graphics card driver? Can you then exploit that through the browser?

That, for want of a better word, would be... bad.

It's a topic that's been picking up a bit of coverage over the last six months or so, but is it overhyped?

In this week's sponsor interview we're hearing from Eddie Schwartz the Chief Security Officer of RSA security. We're chatting to him about the notion that keeping attackers out of networks just isn't realistic anymore. CSOs need to cop to that fact, Eddie says, and start looking at some fresh approaches.

We have a good chat about some of the Jericho Forum's security principles [totally legit PDF], too, and how consumer devices entering the enterprise is actually driving a deperimiterisation approach to infosec.

Adam Boileau, as always, drops in for the week's news headlines!

On this week's podcast we take a look at doing some fairly unnatural things to the OS X operating system. We'll hear how to best rootkit OS X and also how messing with EFI bootloaders can be a whole bunch of fun in terms of installing persistent rootkits in PCI firmware.

That's this week's feature interview, with our buddy Loukas from Assurance.com.au.

Also this week we're joined by Tenable Network Security's product manager Jack Daniel in the sponsor interview. He'll be chatting to us all about Dan Geer's new cybersecurity research agenda.

Adam Boileau, as always, joins us to chat about the week's news.

On this week's show we're talking Near Field Communications (NFC) with New Zealand's Nick von Dadelszen.

NFC is set to become the next big thing for micropayments, alas it looks likely there's potential to conduct all sorts of mischief using NFC-equipped mobile phones like Google's Nexus S.

NFC equipped phones are RFID readers, and Nick reckons we're about six months away from being able to use them as card emulators as well. Let the fun begin!

Also this week, RSA Australia's Mason Hooper joins us to discuss Apple's decision to expel vulnerability researcher Charlie Miller from its developer program. Miller had snuck a dodgy app into the company's official appstore that was capable of running unsigned arbitrary code. Nice trick. Apple unimpressed. But did they overreact? That's this week's sponsor interview.

Adam Boileau, of course, is this week's news guest.

NFC on mobile phones is a new phenomenon and opens a lot of possibilities for research, particularly when talking about mobile payment platforms. Lateral Security's Nick discusses the good, the bad and the ugly of mobile NFC.

RAW AUDIO.

This week's feature guest, Michael DeGusta, has done a bit of research on this topic and found, well, Android support is even WORSE than we first thought. He turned his research into a chart that went viral. Here it is:

Also this week, Sophos Network Security's Bill Prout joins us for a chinwag about webapp security in online retail.

Adam Boileau, of course, stops in to discuss the week's news headlines.

| \t Show Player | Play in Popup | Download

In this week's feature we chat to Patrick Webster about his tangle with First State Superannuation.

This is a story we've covered on the show over the last few weeks. If you haven't heard what happened, Pat spotted a bug in First State Super's statements system, probed it, let them know 12 hours later and then wound up with the police on his door!

Since then the whole saga has turned into a pretty big deal here in Australia. The police and civil actions against Webster have both been dropped and First State Super -- and its administrator -- has wound up in a bunch of trouble.

In this week's sponsor interview we're chatting with Tenable CEO Ron Gula about a recent edict from the Securities and Exchange Commission in the USA that advises companies on what sort of cyber risks and incidents they should be disclosing in their quarterly filings. Ron has an interesting take -- initially I disagreed with him but he won me over, I hope you'll stick around for that.

Adam Boileau joins the show, as usual to discuss the week's news.

Infosec reporter Brian Krebs published a splendid post a couple of days ago that apparently unmasks 760 victims of the same group that owned RSA.

I've had a look through the list and pulled out all the Australian organisations I could find. From the looks of things this list was compiled by observing computers connecting back to evil C&C in China. That would explain why there are so many ISPs listed -- it's likely it wasn't the ISPs that got pwnz0riz3d, it was their customers.

This full list is apparently doing the rounds among congressional staff in the USA.

So, Australia-centric highlights of the reverse-lookups include:

* CITEC-AU-AP QLD Government Business (IT)

Basically all QLD Government IT is outsourced to CITEC. It's the QLD state govt's IT agency.

* DSE-VIC-GOV-AS Department of Sustainability & Environment,

Also affectionately known in political circles as the Department of Scorched Earth, it looks like DSE got popped. Not much mining in Victoria, so your guess is as good as mine as to why.

* CSC-IGN-AUNZ-AP Computer Sciences Corporation

I'm guessing this was CSC itself or one of its customers. Does CSC operate a few gateways? It does here, from memory... a few in Canberra, too. *cough*

Then there are the ISPs.

* AMNET-AU-AP Amnet IT Services Pty Ltd
* TPG-INTERNET-AP TPG Internet Pty Ltd
* MICRON21-AS-AU-AP Micron21 Melbourne Australia Datacentre. Co-Location Dedicated Servers Web Hosting
* PI-AU Pacific Internet (Australia) Pty Ltd
* TELSTRA Telstra Pty Ltd
* VZB-AU-AS Verizon Australia PTY Limited
* MPX-AS Microplex PTY LTD
* IINET iiNet Limited
* MCT-SYDNEY Macquarie Telecom
* AAPT AAPT Limited

Then there's this:

* TEAM-CYMRU – Team Cymru Inc.

Some of you will know why that's equal parts funny and bad.

This week's feature interview is with Ian De Villiers of the South African security firm Sensepost.

Ian recently dropped a couple of interesting SAP security tools at 44con in London and ZACon in South Africa.

SAP makes Enterprise Resource Planning (ERP) solutions... CRM, SCM, PLM... you know, all that three-lettered, thick client enterprise stuff. It's everywhere and as it turns out, one of the only things that has saved it from thorough examination in the past has been the obscurity of its protocol.

Well, Ian, extending the work of Ukranian security guy Dennis Yurichev, has written a couple of tools that will let you play around with SAP software. He's written a protocol decoder, SAPcap, and SAProx, which Ian describes as being like Webscarab for the SAP protocol.

Also this week, Adam Boileau and I have a chat about the week's news, PLUS the latest twists in the First State Superannuation saga.

Australian security researcher Patrick Webster has received a letter from commercial law firm Minter Ellison demanding he turn over his computer to its client First State Superannuation.

The legal threat follows Webster's disclosure of a serious and trivially exploitable security vulnerability in First State Superannuation's website to the company in September.

Listen to my interview with First State Superannuation's Chief Executive Michael Dwyer AM here.

The flaw allowed any logged in member to access other member's statements by changing a single digit in their browser's URL bar.

The letter, received today, threatens to pursue Webster for costs incurred "in dealing with this matter" if he does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.

Webster claims he deleted the information in September. He says some member information, around 500 statements, was downloaded to his computer when he tested a bash script that would demonstrate the flaw to the company's IT staff.

He ran it while he made a cup of tea, saw that it worked, deleted the information and sent the script to First State Superannuation's IT staff so they could independently verify the glaring security hole.

You can read the letter here.

Editorialising for a minute, if Webster had planned to do something untoward with the information he obtained in his four minutes of testing, why would he inform the company of their security issue? Why would he now retain the member information he was trying to protect by reporting the bug in the first place?

If he'd found the bug in a Facebook or Google Web application, Webster would have actually received compensation for his time, not reported to the police and threatened.

Now the company is threatening to recoup costs from him if he doesn't allow them to get their grubby, insecure mitts all over his computer. Why not just ask for a signed statutory declaration? Why resort to threats?

The irony here is it's entirely possible that the glaringly obvious, boneheaded direct object reference bug that Webster exposed puts First State Superannuation completely on the wrong side of various compliance regimes and acts, including the Australian Privacy Act which stipulates organisations must take reasonable steps to secure personal information.

On this week's show we're delving into a troubling story emerging here in Australia. A local security researcher and consultant, Patrick Webster, has been threatened with criminal and civil prosecution after he disclosed a direct object reference bug in his pension fund's systems.

We'll be discussing this in the news with Adam, then we'll be hearing from First State Superannuation's Chief Executive Michael Dwyer himself!

Also on this week's show I'll be playing part two of my interview with famed hacker Kevin Mitnick. There's a very funny story in there about what happened when I asked him to track down Christopher Boyce, aka the Falcon of the Falcon and the Snowman fame. Boyce is an American who, at the time, had just been released from prison after serving a lengthy sentence for treason.

A big news story over the last week was the Chaos Computer Club's discovery of a piece of malware thought to be used by law enforcement in Germany. Over there, government agencies are allowed to use malware to Intercept internet telephony, but nothing else. As it turns out the trojan was packed with all sorts of extra features that just shouldn't have been there.

We'll be discussing that whole thing in this week's sponsor interview with Markus Hennig -- the co-founder of Astaro, which is now the network security division of Sophos.

Adam Boileau, of course, stops by for this week's news segment.

To subscribe to the Risky Business podcast via iTunes, click here.