Podcasts

Brian Snow worked for the USA's National Security Agency from 1971 until a few years ago. By the time he retired from the agency he had risen through the ranks to the position of technical director, information assurance.

He's also one of Risky Business listeners' favourite guests.

This week's show features an in depth conversation with Brian about all sorts of recent trends in the information security area -- Stuxnet, technical debt, surveillance news and more.

It's a cracker interview.

This week's show is brought to you by Tenable Network Security, and that company's CSO, Marcus Ranum, will be along to give his take on Stuxnet. He says it changes nothing and is not an act of so-called cyber-war. In fact, Marcus says (quite rightly) that there's no proof whatsoever that Stuxnet was the work of a state-run agency.

Today's podcast is a special edition -- I'm basically on holidays and travelling for work for the next three weeks so there will be no news section for a little bit, but don't worry, we'll be back to regular programming in three weeks.

But until then we've got some killer interviews for you. This week you'll hear from InQTel CSO Dan Geer and McAfee CTO George Kurtz.

It's always struck me as odd that when a credit card transaction turns out to be fraudulent it's the merchant who foots the bill. It seems weird because the merchant isn't really in a position to implement the required changes to our transaction and authorisation systems that would actually cut fraud.

So is it time that we updated the liability model? McAfee CTO George Kurtz joins us with his views.

PCI DSS has been forced onto merchants to help cut down breaches, but the statistics in documents like Verizon Business's data breach investigation report prove that being compliant won't save you from being pwnz0riz3d.

But it's a massive effort, isn't it? Is the PCI DSS industry keeping valuable security professionals employed in silly jobs, chasing down XSS bugs in merchant websites? Is this really the best use of our resources? Dan Geer joins us to discuss.

This week's edition of the show is brought to you by Microsoft, and Fredrique Dennison of Microsoft Australia joins us to discuss the company's upcoming release of its Forefront security software.

Firesheep is a Firefox plugin that automates the hijacking of http sessions over unsecured wifi access points. While sites like Facebook, Twitter and so on use https to protect login credentials, after successful authentication nine times out of ten you drop back to a http session.

That means, of course, that your session cookie is flying around in plain text and your authenticated session is easily hijacked. But session hijacking has always been a wee bit fiddly... until now.

The Firesheep plugin, written by a Web app developer named Eric Butler, automates the entire process. It's pointy clicky, so all you need to do is pull into a cafe or airport with open wifi, point and click and start goatseing everyone's Facebook.

Neal Wise of Assurance.com.au in Melbourne joins me to discuss Firesheep and what it means in a Web 2.0 world.

Vitaly "The Octopus" Kamlyuk is this week's sponsor guest and we talk about Java exploitation.

Adam Boileau, as always, stops by to discuss the week's news headlines.

In this week's feature interview we're catching up with David Litchfield.

David is a renowned database hacker and a founder of NGS Software, which was acquired by NCC group in 2008. He left NGS back in Feburary this year.

Since then he's written a database forensics tool for Oracle DBs, v3rity. David joins the show to tell us all about it.

In this week's sponsor interview we catch up with Ron Gula, CEO of Tenable Network Security. This week Ron joins us to chat about process monitoring agents like El Jefe, the new tool announced by Immunity Inc last week.

Adam Boileau, as always, stops by to co-host the week's news segment.

In this week's show we're taking a look at a new technology from Immunity Inc. It's called El Jefe and it's actually pretty interesting.

Instead of monitoring network traffic, El Jefe keeps an eye on processes running on all your machines. It's a pretty interesting intrusion detection strategy and I think it's got legs.

Justin Seitz of Immunity joins the show to tell us all about it.

This week's sponsor interview is a funny one -- we've got Symantec's Kevin Haley on the show to talk about an unexpected problem the bad guys are facing: piracy!

It turns out there is no honour among thieves -- the creators of malware like Zeus have a problem with people using unlicensed copies of their badness. So how have malware authors responded? They're shipping anti-piracy dongles!

Adam Boileau, as always, joins us to discuss the week's news.

On this week's show have a chat about critical infrastructure. The Auditor General in the state of Victoria has released a 56 page report into an investigation is conducted into the security of transport and water-infrastructure control systems.

It found the security of four of the five facilities reviewed was substantially lacking. Reading the report you can tell that the bureaucrats who wrote it were having heart palpitations by the time they were done with their investigation.

The NSA's former technical director of information assurance, Brian Snow, was kind enough to read the report summary and he joins us to share his thoughts.

In this week's sponsor interview we chat with Microsoft Australia's Chief Security Advisor Stuart Strathdee about that software maker's renewed push to encourage ISPs to take action against infected machines on their network. Stu will join us to explain why Microsoft is beating that particular drum again.

Adam Boileau, as always, joins us to discuss the week's news.

The Victorian Auditor General has wrapped up its investigation into SCADA security in the transport and water sectors down south.

It found major problems that will surprise absolutely no one. In short, four out of five of the installations examined were nightmarishly insecure. It also found a real lack of awareness among the operators of critical infrastructure that they even have a problem.

A lack of security understanding was on display in New Zealand recently when a spokesperson for Mighty River Power proclaimed the installation was immune to the Stuxnet malware because "we don't run Windows 2000... which we understand is the doorway for the virus".

I'd guess that in some cases more effort is put into securing billing websites for electricity providers than into securing the infrastructure itself, and this report seems to bear that out.

Most pros in the information security industry has known about these problems for a long, long time, but it's great to see them getting some attention at government level.

You can download the PDF from this page here.

It makes for fascinating reading. The text has an interesting feel and tone to it -- a mixture of disbelief and panic shine through.

I tried getting someone from the auditor general's office to chat with Risky.Biz, but the office has a policy of not commenting on reports.

The office and its staff are shielded from defamation action when writing official reports, but any commentary to the media is not protected.

The timing of all this is borderline freaky in light of all this Stuxnet hoo-ha.

Anyway, have a read yourselves and tell us what you think by commenting here.

NOTE: The original post accidentally linked through to episode 169 -- fixed now!

In this week's feature interview we'll be taking a look at a proposed bill in the USA that would see all software companies having to build a lawful interception capability into their products. Basically the feds in the USA would like to be able to tap Skype, Blackberrys, OTR instant messenger and so on.

And we've got the perfect guest to discuss this with -- Alastair MacGibbon. A 15-year veteran of Australia's federal police and the founding director of the AFP's high tech crime centre, MacGibbon left that job to work as eBay Australia's director of Trust and Safety when eBay owned Skype.

These days he's doing his own thing under the name Surete Group.

In this week's sponsor slot we're joined by Vitaly Kamlyuk of Kaspersky Lab in Japan. He's grumpy! He's not pleased! A security researcher in the USA published a nice big detailed blog post the other day in which he described some vulnerabilities he'd found in the Zeus botnet C&C server software.

Some in the security research community believe that disclosure was irresponsible and Vitaly is one of them. We'll hear from him after this week's feature.

As always, Adam Boileau joins us to discuss the week's news.

It took just three days for a vulnerability in the Zeus botnet command and control software to be patched against a vulnerability disclosed in a security researcher's blog posting.

USA-based researcher and apparent Google security engineer Billy Rios published a detailed blog post on vulnerabilities he discovered in Zeus's command and control server.

Armed with details of the vulnerability, attackers could seize botnet command and control servers. Attackers could be criminals seeking to seize other organisations' botnets, or security researchers looking to disable botnet command and control servers.

Zeus is a malware package that targets Internet banking accounts and digital certificates. Sold on the underground, the Zeus botnet "kit" contains a user manual and all the software ingredients enterprising criminals need to get started building their botnets.

Some malware researchers say Zeus is currently the most common malware on the Internet.

Rios conducted a security audit on the command and control web application that "ships" with the Zeus kit, only to find vulnerabilities that could be used to compromise the C&C server.

His full disclosure of the bug led some to criticise Rios for assisting criminals better secure their malicious software.

A source tells Risky.Biz the "patch" was first discussed on Zeus-related IRC channels by Pierre Caron.

What do you think? Should Billy Rios have disclosed his findings? Let us know by clicking here.

To hear more about this story tune into tomorrow's edition of the Risky Business podcast. RSS feeds are here.

This week's feature is a chat with industry legend Dan Geer about Stuxnet. The more we find out about Stuxnet the more it looks like something ripped out of a spy thriller. It used four 0day bugs, two stolen code signing keys and infected a bunch of systems in Iran.

Speculation that the worm was targeting specific facilities in Iran has grown over the last week and we'll see what Dan thinks about that.

Adam Boileau joins us to discuss the week's news and Tenable Network Security chief executive Ron Gula pops in for this week's sponsor interview.