Podcasts

Datacom TSS is a Canberra-based, national security firm founded by ex Australian government security specialists. These guys specialise in dealing with highly skilled adversaries. One of their services is running some pretty intense Red Team exercises.

The team at Datacom TSS recnetly ported its Red Team Trojan over to the Android platform, and it's surprisingly easy to trick people into installing it. You just email it to them and ask them to install the APK package.

And what you get once you're on someone's phone is quite awesome. Not only can you turn on the microphone and snoop on boardroom conversations, but you can use the 3G or LTE connection on the device to do your exfiltration. That way you're completely bypassing the heavily watched gateway. You can also use it to bypass SMS-based authentication.

Mark Brand is the Datacom TSS guy who did the Android port. He joined me by phone to tell us all about it.

The following is a recording of David Jorm's AusCERT presentation. You might have heard Dave preview his talk on last week's episode of the regular Risky Business podcast.

Dave, who works as a security response engineer for a vendor, studies geography and mathematics at the University of Queensland and recently completed a study on long-term remote-sensing analysis of North Korea. In his talk he looks at an OSINT analysis of North Korea\u2026 he talks about the work he did as well as looking at what other North Korea watchers are up to. There's some really cool stuff in there about Red Star Linux, too -- it's a North Korean Linux distribution that's surprisingly polished.

So here he is -- it's Dave Jorm's AusCERT talk. Enjoy.

This is a recording of Mark Fabro's day two keynote speech from AusCERT. Mark is a control systems security expert and a terrific speaker. He's the president and chief security scientist for Lofty Perch, a control system security consultancy. He's extremely well plugged in to the SCADA security scene, he's done a bunch of strategy consulting to the US government. Basically Mark is Mr. SCADA. It's his thing.

In this talk Mark argues that we're focussing on the wrong stuff when it comes to SCADA security. He gives us an experts view on the conversation we should be having if we actually want to fix things. Here's Mark Fabro, I hope you enjoy it.

In this sponsor interview with chat with Casey Ellis, the founder of BugCrowd.

BugCrowd is an Australian business, but Casey is currently in the USA where the appetite for information security investment opportunities is apparently hitting fever pitch. In this interview I ask him how one might get started off on the path to massive phatcash through their cybersecurity startup.

We're kicking off our AusCERT 2013 coverage today with the conference's opening keynote by Michael Jones, Google's chief technology advocate. He's charged with advancing technology to organise the world's information and make it universally accessible and useful.

Michael has worked as chief technologist of Google Maps, Earth, was the CTO of Keyhole Corporation, the company that developed the technology behind Google Earth and was also CEO of Intrinsic Graphics, and was director of advanced graphics at Silicon Graphics.

His presentation was called Security's Biggest Risk, and it basically boils down to the dumb stuff bringing us unstuck. It's a very high level talk that definitely has its moments, and I hope you enjoy it. Here he is.

The following is a recording of HD Moore's AusCERT plenary, all about the research he's done scanning the entire Internet. HD is one of the smartest guys in the business, and it's a great talk. But you might actually need to slow it down a bit, because I don't think I've ever encountered anyone in my life who can speak as fast as HD does. He sometimes speaks at a pace that is faster than my ability to comprehend what he's saying. But as I say, it's a great talk -- it's called Global Vulnerability Analysis.

In this sponsor interview we chat with Paul Ducklin of Sophos about trends in code signing technology designed to combat malware.

During the great "SSL wars" of 2011, when hackers like Comodohacker went cyber-berserk owning CAs and minting their own certificates for sites like Gmail and Facebook, valuable lessons were learned. It's becoming the norm for browsers to pin certs for well known websites... and now this same approach to certificate sanity checking is finding its way into code signing checks.

Microsoft's latest EMET, version 4.0 which I think is still in Beta, will pin certs for signed applications. It's a good idea -- it makes life a little tougher for the bad guys, but as you'll hear, it's not going to kick the can THAT far down the road, as Paul Ducklin explains.

The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has to consider when allowing staff to use their own devices in a heavily regulated environment.

In this sponsor interview with chat with Casey Ellis, the founder of BugCrowd.

When Casey co-founded the business the idea was simple -- the company would host outsourced bug bounty programs for clients that didn't have the expertise to run their own. As some of you may know, the idea really took off, but what no one expected was for BugCrowd's registered testers to do a better job than many penetration testing teams.

It's cheaper than a pentest, and in the case of Web application or mobile application security testing, these bug bounty programs are turning up more actionable issues than penetration testing teams.

Could these types of programs be disruptive to the penetration testing services industry? Casey joined me to discuss.

This week's feature interview is with Dave Jorm, a Brisbane-based security geek and environmental science aficionado who's done some really interesting OSINT analysis of agricultural efficiency in North Korea with publicly available satellite data.

He's presenting his findings at AusCERT's annual conference on the Gold Coast next week; he joins the podcast to talk about his work and the online community of North Korea watchers.

Ok, so it's not exactly about infosec, but it's really interesting stuff and I hope you all enjoy it!

This week's show is brought to you by the fine folks at HackLabs, the Australian pentesting firm. If you need your pens tested, get in touch with the team at HackLabs.com.

This week's sponsor interview is with HackLabs head honcho Chris Gatford. We chat to him about a tale of two banks -- one big Middle Eastern bank and one small Australian bank. They're two organisations with very different approaches to security and very different security postures, but both eventually failed penetration tests by making the same simple mistakes.