Podcasts

This week's show is a doozie!

We're joined by Brian Snow to discuss risk-based security. Brian, who was the technical director of information assurance for the NSA in the US, recently contributed to a security review of US Department of Energy Nuclear Weapons Facilities. (You can download the unclassified version of the report here for free with registration.)

The review sought to understand if Probabilistic Risk Assessment (PRA) methodologies could be used to improve the cost effectiveness of the DoE's security.

The review found that PRA is, in fact, not suited to managing risk in malicious environments. It's great for modelling likely failures of power supplies in data centres, but not so good at modelling attack scenarios.

Basically it boils down to the fact that it's impossible to assign a likelihood to an unknown attack.

So how on earth did risk-based security become the "standard" way of doing things in the enterprise? What use is a risk register if high-impact, low-likelihood adverse events can't be reliably quantified?

Brian joins us to discuss. It's a corker interview.

Adam Boileau joins the show for this week's news. He seems especially keen to sing CA's praises this week. Metstorm <3's CA. He even has CA pyjamas. I've seen them.

Risky Business has been judged Australia's Best Technology Audio Program for a second year in a row.

The Lizzies, Australia's awards for technology journalism, are run by media services company MediaConnect, with each gong judged by a panel of three technology journalists.

Risky.Biz edged out entries from Sydney-based radio station 2GB, CNet/ZDNet and others.

Big thanks to the listeners, sponsors, guests and everyone who's helped out since the podcast launched back in early 2007.

Episode 190 of the Risky Business podcast is brought to you by our good buddies at Astaro.

Astaro's Jack Daniel joins us in this week's sponsor interview to talk about the evolution of firewalls. We try to predict what they're going to look like, five or ten years out. No surprises for guessing convergence is going to be a big thing.

In this week's feature interview we chat with Kowsik Guruswamy of muDynamics about a project his company kicked off called pcapr.net

It's an online archive of packet captures/traces with 60 million packets archived and 5200 members contributing. It's a great project and I'm surprised more people in the infosec community haven't heard of it.

As always, Adam Boileau stops in for a check of the week's news.

This week's show is brought to you by NetWitness.

The minting of some dodgy SSL certificates has the whole security world in a bit of a tizz, but this week's feature guest thinks much of the resulting media coverage is missing the point. Why are browsers designed to make Boolean trust decisions? Why do they completely trust CA issued certs?

Peter Gutmann of the University of Auckland joins me to discuss.

Adam Boileau pops in for the week's news, as always.

On this week's show we're mostly focussing on news! It's been a massive week in news -- we've had AT&T users' Facebook data being re-routed through China, we've had more speculation on the RSA hack, Comodo has been busted dishing out trusted SSL certificates for gmail.com to a box in Iran, there's a stack of SCADA 0day being dropped, there's people going to prison, giant rats eating entire data centres.... ok, well I made the last bit up, but the rest of it, if you can believe it, is true!

So we'll chat with Adam Boileau about a lot of that stuff in the regular news segment, and we'll be joined by Declan Ingram to discuss the Comodo SSL breach and the SCADA news.

In this week's sponsor interview we're chatting with Tenable Network Security's evangelist Paul Asadorian. Well, Paul and his buddy Larry Pesce. Paul and Larry host the PaulDotCom security weekly podcast, and they popped by to discuss the issue of APTs and risk-based security. It's a great chat, and it's coming up later.

This week's show is sponsored by Tenable Network Security.

It's episode 187, the homicide edition, and RSA conveniently falls victim to a drive by. Thanks guys!

This week's show is a ripper. We've got two feature guests -- Kimberly Zenz of iDefense and Paul Ducklin of Sophos.

We talk about everything from recent disinformation and social media manipulation campaigns in the Middle East and Belarus, the breach of RSA by parties unknown wielding those mysterious "APTs". Allegedly.

Duck and I also have a chat about Privacy International proclamation that Skype is a threat to the security and privacy of activists and dissidents. We don't know what they've been smoking over there at Privacy International, but I bet you it's some good stuff -- the criticisms levelled against Skype are, largely, baseless. Allegedly.

Adam Boileau joins us, as always, to discuss the week's news headlines.

Well it's official. I've made it: Gregory D Evans has ripped off my work!

Risky.Biz's pal Jericho from Attrition.org recently drew my attention to a book published by Evans and LIGATT Publishing called "Hi-Tech Hustler Scrapbook".

From what I can tell, it's just a collection of news and feature articles written by other people. Three of my articles from years ago made it into Evans' "scrapbook":

"Cyber Terrorism 'Merely a Theory'," November 11, 2003, ZDNet Australia

"Beware the Crime Lords of the Internet," May 31, 2005, The Age

"Computer Crime: Methods and Techniques," June 01, 2005 Sydney Morning Herald

When asked how he could justify cutting and pasting other peoples' work into a book and selling it for $39.95, Evans claimed that he got permission to use the articles he included.

He also says he didn't put his by-line or name on the book, so he's in the clear. Indeed, my by-line remained on my articles as reproduced in his book. You can read his ridiculous ramblings on the subject here.

Anyhoo, I thought I'd make 110% sure that permission wasn't given to Evans to use my articles in his book. I asked ZDNet Australia if someone over there gave Evans permission to reprint my work. Here's the response I received from the house of Z's Editorial Director Brian Haverty:

After checking with the global offices of ZDNet, I have found that the ZDNet content that appears in Gregory Evans' 'Hi-Tech Hustler Scrapbook' was not used with the permission of any authorised employee. If Mr Evans purports to have any evidence of permission being granted, we would very much like to see it.

So, just for the record, Gregory D Evans did not have my permission or the permission of my publisher to reprint "Cyber Terrorism 'Merely a Theory'," November 11, 2003, ZDNet Australia.

If you don't know who Gregory D Evans is, you're in for a fun hour's Googling.

This week's show is jam-packed! We'll be chatting with Andrea Barisani about a presentation he did with Daniele Bianco at CanSecWest this week. They're both from Inversepath, and the title of their talk was "Chip and PIN is definitely broken". Is it? Find out after the news.

Also this week we chat with CSO Adam Pointon. What can you do when your executives want to use their iPad or other mobile device on your network? Is it possible to create a security policy for consumer devices on your network? Well, yeah, it is, as it turns out.

In this week's sponsor interview we chat with Jack Daniel of Astaro. The topic is IPv6. Despite the fact that the Internet has run out of v4 addresses I haven't personally seen the four horsemen of the Internet failpocalypse riding down my street just yet. But be assured, there's a transition coming and Jack joins us to discuss how you can prepare for it.

Adam Boileau, as always, stops by with his take on the week's news.

On this week's show Peter Gutmann drops by to talk about Solid State Drives (SSDs) and digital forensics. Depending on which report you saw over the last week you may have read that it's impossible to reliably delete data from an SSD, or that SSDs are a forensic nightmare because they DO delete so much data.

Well it turns out both statements are correct, and Peter "Gutmann Method" Gutmann joins us to explain how.

Also this week, Tenable Network Security and industry Stalwart CEO Ron Gula joins us to chat about the concept of restricting the sale and export of exploit information or malicious software. How does one determine what is malicious or other in a discipline where almost everything is dual use? That's this week's sponsor interview.

Adam Boileau, of course, joins us for the week's news.

******I missed a couple of "naughty words" in this week's edit, so put your headphones on if the kids are about...

On this week's show we're having a chat with the editor of Wired.com's Threat Level blog, Kevin Poulsen.

He joins us to discuss his new book, Kingpin, which is out this week in the US and on March 1st is Australia.

Kingpin tells the story of Max Ray Vision, a hacker who started off as a typical carder but came to control virtually the entire online credit card fraud scene in the English speaking world. How? By owning rival forums, merging their users into his site and then torching the competition. It was pretty effective.

Adam Boileau joins us to discuss the week's news.