Podcasts

Risky Business 2 is sponsored exclusively by Symantec.

In this edition of the show we're taking a look at Microsoft's Office 2010.

Last week I headed to Microsoft's Tech Ed conference on the Gold Coast and caught up with Reed Shaffner, a product manager with the Office team, to chat about the security features in Office 2010.

The company has put a lot of work into making sure the types of attacks that have plagued its office suite over the last few years will be a thing of the past. Will these new measures succeed?

Subscribe to the Risky Business newsletter here.

Risky Business on Twitter!

This week's edition of Risky Business is brought to you by the fine folks at Sophos, the makers of all types of security software and the employer many, many smart cookies.

This week's show is a bit of a mixed bag. We'll of course be checking in with our buddy Adam Boileau to discuss the week's news headlines, then we'll be having a chat with journalist Cameron Stewart. He works for The Australian, a Murdoch-owned newspaper, and he's written a series of articles alleging Australia's spy agency ASIO has been called in to investigate Chinese networking equipment manufacturer Huawei over alleged links to Chinese intelligence organisations.

Interesting stuff to say the least.

Then we're going all Mac on you. We'll be chatting to Brett Olsen, who's been doing some interesting work in looking at the privacy implications of some iPhone applications. Yes, I know iPhone stuff has been done to death, but Olsen's i-phone-home project could be a preview of things to come across the whole mobile computing space.

Then of course we'll be chatting with Sean Richmond of Sophos in this week's sponsor interview. He'll be giving us a vendor take on Apple's decision to build some rudimentary AV into its operating system.

Sign up to the Risky.Biz newsletter here.

While the bug allows remote code execution several versions of Windows, including Vista and Server 2008, its impact on Windows 2000 is limited to causing a denial of service.

Let's hope it's not one of those Denial of Service bugs that turns out to be quite serious later.

The bug appears to be some sort of TCP/IP stack problem -- discovered by the late Jack C. Louis -- which allows attackers with the ability to connect to any port to run code or DoS the target, depending on the version of Windows.

It's a bad one.

It's especially bad if you're running legacy applications on Windows 2000. The only mitigation for this thing is a properly configured firewall that cleans TCP window sizes (cleans Windows' windows, hur hur) in front of the Windows 2000 host.

Here's the relevant bit of the advisory:

"The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system."

Windows 2000 support was to continue until July next year.

This week's episode is sponsored by Check Point software.

On this week's show we're chatting to Alastair MacGibbon of Surete Group. He was the Australian Federal Police Agent who established the multi-jurisdictional Australian High Tech Crime Centre back in 2003. He was with the AFP for 15 years and spent the majority of his policing career working in drug enforcement. That included investigating criminal drug syndicates.

He'll be along this week to dispel some of the current theories doing the rounds about online criminal activity.

We'll also be joined by Check Point's Fred Borjesson to discuss hardcore, customised malware: memory scrapers, rootkits and other stuff the hardcore bad guys use to exfiltrate card data from compromised organisations. It's virtually impossible to detect because, well, it's not widely distributed like most malware -- this is hardcore stuff for hardcore people. That's this week's sponsor interview.

We also discuss the week's news with Adam Boileau.

Risky Business two is brought to you exclusively by Symantec, so big thanks to the team over there for making this podcast possible!

In this week's special interview you'll hear Paul Craig discussing Web application vulnerability chaining with Mark "Pipes" Piper. Chaining is basically combining a whole bunch of trivial bugs into something quite critical.

Paul did this interview at New Zealand's OWASP day.

It makes for pretty interesting reading. There are 211 exploits on the list, with 117 of them described as confirmed 0day.

You can find the list here.

As far as Risky.Biz is aware, these guys do not contact vendors and give them details on 0day they acquire. While to most that would seem the right thing to do, it's directly opposed to InteVyDis' commercial interests.

A fixed bug is a dead bug. Why slash the value of your own product?

We would love to hear from readers on this in the forums. Do you think a business model that involves selling 0day without notifying vendors is inherently immoral?

This week's show is sponsored by Microsoft and hosted by Vigabyte virtual hosting.

On this week's show we chat with Jose Nazario, the manager of security research for Arbor Networks. Jose is joining us to talk about the latest trends in botnet C&C. Apparently, using IRC is sooooo 2005 these days...

We also talk to Stuart Strathdee from Microsoft in this week's sponsor segment. In it, we discuss alleged criminal mastermind and all round badass Albert "The SoupNazi" Gonzalez. Will his capture and prosecution be a deterrent or an inspiration to fraudsters?

And of course the show wouldn't be complete without Adam "Metlstorm" Boileau jumping on board for a look at the week's news headlines.

This week's edition of Risky Business is brought to you by Sophos and hosted by Vigabyte virtual hosting.

On this week's show we chat with Professor Gernot Heiser. He's the chief Technology Officer of OK-Labs, or Open Kernel Labs. The company makes software for embedded systems, and recently NICTA -- that's a government funded technology R&D lab -- has claimed to have mathematically verified one of the OK-labs kernels as being mathematically perfect. No buffer overflows. No null pointer dereferences. No divide by zeros.

The Prof stops by to explain what this all means.

We also chat with Sean Richmond from Sophos in this week's sponsor interview. We quiz Sean on this virus doing the rounds that affects Delphi development environments. Interesting stuff!

And of course Adam Boileau pops by with the week's news headlines.

In this special interview you'll hear our New Zealand correspondent Paul Craig interviewing Security-Assessment.com's Roberto Suggi Liverani and Nick Freeman discuss their research into exploiting Firefox extensions.

These guys were doing a review of a large web application and evaluation of a related firefox extension was in scope.

Skype extensions, search toolbars -- all those extensions that people routinely install into their browsers, well, it turns out a lot of them are buggy as hell and these two have figured out how to exploit these little suckers, and at best guess, there's around 30 million boxes out there vulnerable to the extension bugs they've identified.

On this week's show we're chatting with CEO of Australia's Internet Industry Association, Peter Coroneos. Peter led the charge for a National 2FA scheme many years ago... it hasn't quite gotten off the ground yet, but Peter joins us shortly to discuss the scheme, how it got started and why it hasn't really gone anywhere yet.

We're also joined by a special guest in our sponsor segment this week, Paul Asadoorian, the host of the PaulDotCom Security Weekly podcast. Paul's dayjob is as Tenable's "Evangelist". He won't be evangelising anything this week though, he's popping by to talk about training. Paul did work for SANS, and we'll be asking Paul what he thinks training and certification are good for.

And we'll be checking the week's news with Adam "metlstorm" Boileau!