Podcasts

News, analysis and commentary

RB2: SPONSOR PODCAST: Symantec malware update with Kevin Hogan

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

In this month's sponsored podcast here on Risky Business 2 we're chatting with Symantec's Senior Director of Global Security Response Operations Group, Kevin Hogan, about quite a few things.

We'll be talking about the standardisation of many forms of malware, weaknesses in the packers the bad guys are using -- that's interesting -- and heaps of other stuff around online threats.

RB2: SPONSOR PODCAST: Symantec malware update with Kevin Hogan
0:00 / 0:00

Risky Business #118 -- eCrime Symposium panel discussion

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

Sydney's inaugural eCrime Symposium kicked off on Tuesday, and Risky Business was there with an audio recorder.

We recorded this panel discussion while we were there and decided it'd make a good podcast. The speakers are Rachel Dixon, who's a technology executive here in Australia for online media group Viocorp, as well as being the deputy chair of consumer group Choice, Phil Argy, the head of the Technology Dispute Centre, and Sean Richmond from Sophos.

The panel was hosted by Nigel Phair.

I've basically cut it down to focus on the comments of Rachel Dixon. She was the best speaker on the day, and her riffs make for interesting listening.

There is no news segment this week due to a nasty bit of chicken making me quite ill on Wednesday and Thursday. I'll spare you the details. I'm also moving house tomorrow, so things this week have just got a little crazy.

But RB will be back next week with a bit of a wrap from all the shenanigans in Vegas and a proper news update.

In this week's sponsor interview we're trying something different. We're having a chat to Tim Smith of Bridgepoint, a Check Point Gold Partner. Tim's at the coalface of the Australian security industry, so we took this opportunity to get a commercial perspective on what's happening out there in the market, and in particular, with PCI.

As you'll hear, Tim says all sorts of organisations -- from online retailers to corner stores -- are being roped into the regime, which obviously makes life interesting.

Risky Business #118 -- eCrime Symposium panel discussion
0:00 / 0:00

RB2: OWASP Day NZ: Presentation on Web services security testing

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

In this presentation from New Zealand's OWASP day, you'll hear Lateral Security's Nick Von Dadelszen describe testing methods for Web services.

Unfortunately he does some demonstrations that don't really translate well via audio, but if this is already an area of interest to you, then you'll still find it valuable.

RB2: OWASP Day NZ: Presentation on Web services security testing
0:00 / 0:00

RB2: OWASP Day NZ: Interview on Web services security testing

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

In this interview, you'll hear Risky.Biz's New Zealand correspondent Paul Craig discuss Web services security with Lateral Security's Nick Von Dadelszen.

We all hear a lot of talk about web application vulnerabilities, and not much at all about web services problems. The result is a lot of web services are wide open.

RB2: OWASP Day NZ: Interview on Web services security testing
0:00 / 0:00

Risky Business #117 -- McAfee tries to explain data loss incident

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

Readers of the Risky.Biz website would have heard by now that McAfee accidentally leaked the full contact information of 1400 registrants for its strategic security summit that was held in Sydney on July 17.

McAfee's Asia Pacific President Steve Redman is this week's feature guest -- he joined the program to face the music for that one.

We've also got a sponsor interview with Microsoft's Stuart Strathdee in this week's show. We ask Stuart why Microsoft's free security software won't be available to systems that fail windows genuine advantage tests, as well as chatting about mobile security in light of the recently discovered Symbian botnet.

Adam Boileau joins us to discuss the week's news, and we can assure you there was lots of it!

Risky Business #117 -- McAfee tries to explain data loss incident
0:00 / 0:00

EXCLUSIVE: McAfee Leaks 1,400 Security Pro Details

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

The marketing spreadsheet contained the full names, titles, organisation names, phone numbers and e-mail addresses of all who had registered for or attended the company's recent Strategic Security Summit on July 17 in Sydney.

"We did have a human error where the seminar contact list was attached to a promotional e-mail that was sent to... we don't know how many of the delegates," McAfee's Asia Pacific President, Steve Redman, told Risky.Biz by phone. "The important thing to note is this was not financial information, not mission critical information, it was a contact list."

The list was mostly comprised of the details of in-house IT security professionals for Australian organisations. It included the details of those who had attended, those who registered but never showed up, and those who walked in without registering.

The company tried recalling the message after it accidentally leaked, and subsequently sent an e-mail asking those who may have received it to delete the contact list.

As such, Redman says the company will not be contacting everyone on the marketing list to inform them of the leak. "We don't know whether all those people deleted it," he says. "If 50 people got our list... and then we asked them all to delete it and they did, then the information's not out there."

Risky.Biz has sighted the list -- which contains comprehensive contact details for security professionals from banking institutions, government departments and other large enterprises -- throwing doubt on Redman's hopes the list has been deleted.

Chris Gatford, director of HackLabs attended the event and was alarmed when he learned of the leak. "It contained my registration information," he says. "I am not happy about it sitting in unknown hands."

He says he's surprised McAfee would be so careless with what he describes as sensitive information. He also disputes Redman's assertion the leak is trivial because it is a mere contact list.

"I am sure [McAfee's] competitors would be very excited to have this fall into their inbox," he says. "[And] that list would be great to attack as it is a who's who of the security gatekeepers of Australia's largest organisations."

Want more exclusive security news? Sign up for our weekly newsletter here. Create an account to post to our forums!

Risky Business #116 -- Veracode's Chris Eng talks Blackberry spyware

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's show is hosted by Vigabyte and sponsored by Sophos. You'll hear from Sophos's Paul Ducklin later on in the show in this week's sponsor interview.

This week's feature interview is with Chris Eng of Veracode, and we'll be chatting about his analysis of a nasty bit of blackberry spyware that was pushed out to all blackberry users on UAE-based carrier Etisalat.

And of course we're joined by Adam Boileau for a discussion of the week's news.

Risky Business #116 -- Veracode's Chris Eng talks Blackberry spyware
0:00 / 0:00

RB2: ShakaCon Podcst: Lockpicking with Deviant Ollam

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

This is the final of our podcast series recorded at Shaka Con. From next week on RB2 you'll hear reports prepared by our roving reporter Paul Craig on location at New Zealand's OWASP day.

Shaka Con is a hacker conference held annually in Honalulu, Hawaii, and as you'll hear, the conference didn't limit itself to digital security. Lock picking aficionado Deviant Ollam was there to give a talk all about locks and curiously, how to fly with locked luggage.

If you've travelled within the USA you may have opened up your bags one day to find a friendly note from the TSA telling you they have searched your bag for your safety.

Well, as it turns out, there's a way to legally fly with a locked bag. It involves flying with firearms. Only in America, folks.

Risky.Biz's own Paul Craig caught up with Deviant at Shaka Con and filed this interview.

RB2: ShakaCon Podcst: Lockpicking with Deviant Ollam
0:00 / 0:00

Domain.com.au Acts On Fraud Then Tells Fibs

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

The website has finally blocked private rental listings in order to stamp out fraudulent listings that have fleeced its unsuspecting customers for thousands over several months. It's something, but it's way too late. This is what the company should have done in May when it first got wind of the problem.

Instead, it tried to spin its way out of trouble, enlisting the help of PR company Red Agency to handle this Website's enquiries.

Domain.com.au refused interviews. Domain.com.au knew its customers were losing money to criminals. Domain.com.au chose to do virtually nothing to stop it.

In response to these Risky.Biz articles that first exposed the fraudulent activity in May and June (1 and 2), Risky.Biz received an oh-so-chirpy e-mail from Red Agency on June 19. It informed Risky HQ that a "new security policy, accessible through various links on the site," had been written and published!

What a relief! Problem solved!

Not only that, but the company had used the most advanced "hyperlinking technology" through some new-fangled thing called HTML to link users to the fraud-defeating, magic security policy. I mean, wouldn't YOU click on a link to a security policy that was presented to you in eight-point font on a contact form?

Domain also wrote a blog post warning its users about fraud and ran it on the Domain.com.au blog. Here's a fun game: see if you can find it.

One thing we could certainly find were the graphics on the front pages of The Age and Sydney Morning Herald online that screamed words to the effect of "Apply for rental properties online now on Domain.com.au!". These were running the day the blog post went up. How deliciously ironic.

The Age and SMH are owned by Fairfax, which also owns Domain.

The thing that really cracks us up here at Risky.Biz is this excerpt from the SMH article we linked to in the first paragraph:

The general manager of key categories, Tony Blamey, said the company received reports of the scam in the past two weeks.

Sorry Tony, but we're calling bullshit on that one. Domain has known about this since mid May at the latest.

Nmap Reloaded: "Biggest Release Since 1997"

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

The new package, nmap 5.0, includes Ncat, billed as a "a much more advanced and modern reimplementation of the beloved Netcat". Also included is Ndiff, which is designed to portscan networks and alert administrators to changes.

Lyon decided on a "surprise release" of the new nmap network scanner to avoid deadline pressure. "It is very hard to predict software release dates, especially open source," he told Risky.Biz before the launch. "So rather than keep giving dates and missing them, I just keep my mouth shut and then release suddenly when it is ready."

The new and improved tool had been through an extensive beta phase before the final release hit the nmap website at 9am Pacific time in the USA.

"Really, when you get into the double digits with your beta release counts, that's a good sign to say maybe you should release a non-beta version," Lyon says. "Otherwise you end up in perpetual beta like Google."

The new version is available here.

Adam Pointon, a Melbourne-based CSO and former penetration tester, was given the opportunity to preview the new nmap. "Ncat is sweet... I'm going to alias nc to ncat," Pointon says. "With most systems using or enabling IPv6 these days, it fills the gap in the toolset... and will replace the need for multiple tools working together, such as netcat, zebedee, stunnel or s_client."

The connection-brokering and I/O redirection features make it even richer, and innovative in IPv6 land, Pointon added.

Nmap was first released in 1997 and has become the de facto standard port scanning utility for penetration testers and network administrators.

It's also cracked Hollywood. During a scene in The Matrix Reloaded the movie's character Trinity is shown using the software while hacking into a power station's control systems.

Want more exclusive security news? Sign up for our weekly newsletter here. Create an account to post to our forums!