Podcasts

This week's podcast is hosted by Vigabyte virtual hosting but sponsored by Check Point.

On this week's show we're taking a look at smart metering. It's all the rage these days -- it will usher in an era of automated billing for electricity, gas and water as well as letting the utilities companies do all sorts of intelligent grid management stuff. Utilities across Australia and indeed throughout the world are rolling this technology out as we speak.

But as you'll hear, there are opposing views on whether or not this stuff is ready for roll out.

Could a smart meter worm that can shut down whole cities be on the horizon? It sounds a bit extreme, but that's one concern Professor Bart Jacobs of Radboud University in the Netherlands highlights. We'll hear from him later.

We'll also hear from Logica's smart metering security expert Karl Dawson. He has extensive experience working with utilities on this sort of thing and says it can be done securely, if it's done right and monitored properly.

In this week's sponsor interview we'll be chatting with Steve MacDonald from Check Point. He's Check Point's engineering services manager here in Australia which means he spends a lot of time with big, big companies dealing with their issues. This week we're chatting to Steve about some of the more idiotic things he's seen customers do. Allow ANY blanket firewall rules anyone?

Risky Business 2 is brought to you by Symantec and hosted by Vigabyte virtual hosting!

In this podcast you'll hear our roving reporter Paul Craig interviewing a couple of presenters from BruCon, Belgium's security conference.

In the first interview, Paul chats to Stephan Chenette of Websense about script fragmentation, a concept that's a bit similar to TCP fragmentation for IDS evasion.

Interview number two is about advanced SQL injection attacks, with Gotham Digital Science's Justin Clarke.

This week's edition of Risky Business is brought to you by Sophos.

And what a show it is! We've got the exclusive podcast interview with HD Moore, who fills us in on the acquisition of the Metasploit project by Rapid7.

Now, before you GPL freaks run to the shed to dig out the pitchforks and flaming torches, you should hear this interview. The way HD describes it, this acquisition is about the best thing that could have happened to Metasploit.

Rapid7's director of products and operations, Corey Thomas, also joins the show with some soothing words for anyone with concerns about the acquisition.

We're also joined this week by Adam Boileau, who discusses the week's news headlines, and Paul Ducklin of Sophos joins us for the week's sponsor interview.

Subscribe to the Risky Business podcast here.

Follow Risky Business on Twitter here.

Sign up for a forum account and our weekly newsletter here.

...or leave us a voicemail on Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

The Metasploit project has been acquired by Rapid7, a US-based vulnerability management company.

Metasploit creator H D Moore confirmed the sale in a podcast interview with Risky.Biz overnight (Click to hear the podcast). "This is more of a buy in than a sell out," he told Risky.Biz "It's about taking Metasploit to the next level with a real company with real funding."

Eager to put open source enthusiasts' minds at ease, Moore told Risky.Biz the acquisition will result in full time resources being allocated to the Metasploit project. Rapid7 will fund five full time developers to work on the project and Moore insists all core software developed by the new, full time team will remain free and open source.

"Nothing that people are using today is going away," he said. " I'm definitely in it for the long haul."

Rapid7 director of products and operations, Corey Thomas, insists the company is committed to the future of Metasploit as an open source project. He says the acquisition seemed a natural progression following partnership and integration discussions with Moore.

"We [already had] two or three developers who contribute to Metasploit," he said. "After a period of time we decided the best way to go was to make a direct investment and fully sponsor the Metasploit project."

Originally released in 2003, Metasploit allows security professionals to rapidly develop exploits for computer vulnerabilities. Initially regarded as controversial, Metasploit has become a staple tool for penetration testers and other technical security professionals.

To hear H D Moore and Corey Thomas discuss the acquisition, listen to Risky Business episode 128 here.

Subscribe to the Risky Business podcast here.

Follow Risky Business on Twitter here.

Sign up for a forum account and our weekly newsletter here.

...or leave us a voicemail on Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

This week's show features an excerpt from David Rice's plenary speech at the GovCERT Symposium in Rotterdam, The Netherlands.

In his talk, David asks what the security business could learn from pasta sauce, Diet Pepsi and food science in general. It's a bit out there, but it's well worth a listen.

You'll also hear from Microsoft Australia's Andrew Parsons about a couple of programs Microsoft is running that involve giving away an absolute tonne of expensive software to students and start-ups. It's not a security related interview, but hey, the programs are pretty interesting and worth featuring.

There's no news guest this week -- I'm still travelling back to Australia from Europe. It's a long way. No, really... It's far.

But we'll be back to regular programming next week.

This week's show is a bit of a special edition, prepared at the GovCERT.nl Symposium at the World Trade Centre in Rotterdam, Netherlands.

This isn't a regular edition of the show, so sadly we will not be joined by our regular news guest Adam Boileau for our weekly news segment. Instead, we'll be having a chat with Neohapsis CTO Greg Shipley, who's also here to give his own talk at GovCERT.nl.

Greg's firm actually did some of the forensics work on one of the organisations allegedly attacked by Alberto Gonzalez, the Internet super-villain. If you've been in a cave for the last few months, Gonzalez is the guy who's suspected of stealing up to 135 million credit card numbers over several years... and he's now in prison as a result.

Greg's and I discussed how these sorts of breaches could actually happen in organisations that actually pay attention to their security.

In this week's sponsor interview, Check Point's Engineering Services Manager Steve MacDonald will be along to have a talk about a recent report -- one that we mentioned on last week's show -- that claimed up to nine percent of corporate machines are actually infected with custom-designed malware.

Working for Check Point, Steve has a lot of exposure to large corporate clients, and depressingly, says the report is entirely plausible.

In today's podcast you'll hear Risky.Biz's New Zealand correspondent Paul Craig discussing Red Team testing with Chris Nickerson. A Red Team test involves more than just a standard pen test, it's an outright simulated attack. You'll hear Chris speak of crawling through ceilings to get to data centres, stealing trade secrets -- actual documents -- and even having his nose smashed in by an overly enthusiastic security guard.

Paul did this interview at BruCon, a security conference in Brussels, the lucky bastard, and we'll pick up the conversation here where Chris is talking about what sort of stuff he sets out to steal when he's scoping out a Red Team exercise.

On this week's show we'll be chatting with Stratsec's Chief Technology guy Nick Ellsmore about bank fraud liability. A couple in the USA who fell victim to a phishing scam are suing their bank to get their money back. Nick's not a lawyer, but he's one of those guys who follows the law as it relates to security very, very closely, so he'll be on the show to talk about that.

We'll also check in with the head of Australia's domain name regulator auDA, Chris Disspain. A couple of years ago an Australian domain name registrar, Bottle Domains, had its credit card database walked out through the perimeter. That's lead to auDA taking court action and by the looks of things it's set to drag out a bit longer.

In this week's sponsor interview we're joined by Microsoft's Stuart Strathdee. That one's a bit of a mixed chat about all sorts of stuff. We're talking all things Microsoft. And there's been a lot of MS-related news of late.

Adam Boileau is this week's news guest.

[MINOR CORRECTION: It's mentioned in the show that it's rare for a TLD regulator to take action against registrars. Risky.Biz is told that is not the case.]

Domain name regulator auDA moved to terminate Bottle Domains' registrar agreement when it was revealed the company's customer database had been hacked and offered for sale in a black market forum. "Under the terms of the registrar agreement with us they are obliged to inform us of any security breach," auDA CEO Chris Disspain told Risky.Biz in a podcast interview. (Click to hear the full interview.) "That did not happen."

The loss of accreditation would have seen the company stripped of the right to conduct business as a domain name registrar. The domain names of its existing clients would be transferred to auDA itself, which would have acted as an interim registrar.

"[The judge] has stayed those orders for a period of time to allow Bottle to go to the court of appeal and apply... for an injunction pending the hearing of a full appeal," Disspain said.

You can find Risky Business on Twitter here.

Sign up to our weekly newsletter here.

On this week's show we'll be taking a look at the disclosure of security vulnerabilities in Web applications.

An interesting blog has recently popped up here. If you visit (at your own risk), what you'll see there is basically nothing but screen caps of owned Web applications. They're big targets, too.

We're talking about Facebook, RBS WorldPay, that sort of thing. Browsing through that blog is a very diverting 20 minutes.

Is owning sites and posting the results like this unethical? We thought we'd ask our guest Adam Pointon. He's a CSO for a financial services company that operates a very complicated web application for tens of thousands of users.

We'll also be chatting with our sponsor guest Paul Asadoorian this week. Paul is the co-host of the PaulDotCom Security Weekly podcast. When he's not in front of a microphone, Paul's out there being Tenable Network Security's evangelist. This week we're chatting with him about some interesting research the SANS Institute has released which revealed which weaknesses in corporate security are actually doing the most damage.

This week's special news guest is Munir Kotadia.

Risky.Biz has been asked to help a well respected security company find a new penetration tester in Melbourne. E-mail jobs at risky dot biz for more information. Details are in the show... if you're not interested, put someone forward for a $1,000 finder's fee.

You can find Risky Business on Twitter here.

Sign up to our weekly newsletter here.