Podcasts

In this sponsored podcast, Symantec's VP of security response joins RB2 to talk about some novel new approaches to the malware problem.

We don't normally talk to sponsors about their own technology, but this is just where the conversation went, and it's pretty interesting stuff!

Symantec's vision for the future is to gauge the level of risk posed to systems by building up a database that ranks executables according to their reputation. It's sort of like eBay's system of ranking buyers and sellers. I'd heard of this approach a while ago, but Vincent drills down into a bit of detail here. It's good stuff.

In this edition of RB2 you'll hear Paul Craig's Kiwicon 3 presentation, Hacking Scientists. As you'll hear, Paul has developed some fuzzing methodologies that he's applied to scientific software.

This sort of software -- chemistry stuff, fluid dynamics stuff etc -- is used by weapons designers, pharmaceutical engineers, car manufacturers and all sorts of very interesting people.

In other words, this software is found on the same systems as the world's most valuable IP. It's good stuff to find bugs in.

You might recognise Paul's voice -- in addition to working for Security-Assessment.com he's a regular contributor to the RB2 podcast. Enjoy!

This week's show is brought to you by the fine folks at Sophos.

This week we're looking at what the mainstream media is calling "climategate".

As world leaders meet in Copenhagen to try to hammer out a coordinated response to global warming, the blogosphere and indeed the mainstream press are all in a tizz over thousands of hacked e-mails from the Climate Research Unit of the University of East Anglia.

In all 13 years of e-mails were stolen from the CRU and leaked online, with some of the e-mails appearing to show scientists manipulating data to exaggerate warming. For their part, scientists say those e-mails have been taken out of context.

Either way, climategate has given climate sceptics a boost leading into Copenhagen, and as you'll hear, the scandal has certainly muddied the climate agenda at a critical time.

So we'll be chatting with scientist and climate change expert Professor Ian Enting from the University of Melbourne about climategate and its impact on the scientific community.

We'll also be having a chinwag with Paul Craig of Security-Assessment.com in New Zealand. Paul has done a whole bunch of research into hacking scientific software -- stuff like fluid dynamics packages, circuit modelling software and even chemistry modelling software. As it turns out, not many people have looked for bugs in this stuff, and they're everywhere. So it's our "hacking scientists" special edition of Risky Business this week.

Paul Ducklin will also be along later in the show for this week's sponsor interview. We'll be talking about that research into English language shellcode.

And Adam Boileau is this week's news guest!

This week's show is a bit different -- we're giving you a double dose of our regular guest Adam Boileau.

Following Kiwicon last weekend I checked in to Chez Boileau for a few nights, so we were able to do the news in his kitchen before I buggered off back to Australia.

While I was there we also had a chat about Kiwicon and discussed some of the presentations we saw. Adam is a key organiser of Kiwicon so it made sense to discuss it with him. Topics covered include GPS security, shared hosting insecurity, Linux kernel rootkit detection, hacking scientists and much, much more.

Coincidentally Check Point's Steve MacDonald was in Wellington when I was, so we caught up for a beer and did this week's sponsor interview in the flesh. The topic was Microsoft's decision to start advising customers to ditch IE6.

In the same statement the company advised its clients to stop licking batteries and filling their petrol tanks with sugar.

This edition of RB2 features Ben Hawkes' recent talk at Kiwicon. It was called A History Of Corruption, and it really is a historical recap of memory corruption bugs. It doesn't exactly sound thrilling from that description, but it's a great talk and it's really well delivered.

Hawkes is a young security researcher based in New Zealand who's well and truly on the way up. His work on hacking the Vista heap was pretty awesome. If you are familiar with it then you know why a talk about memory corruption as done by Hawkes is going to be interesting. He knows what he's talking about.

This week's show is brought to you by Microsoft.

We've got a couple of great stories in this week's show. We'll be chatting with our semi regular guest Adam Pointon, who's taken a bit of a look through the leaked 911 pager messages that popped up on Wikileaks overnight.

While everyone's been trawling through them looking for evidence that the aliens did it, Adam's been taking a look at the automatically generated messages that network equipment was sending out. It's interesting stuff.

We'll also check in with Mikhail Davidov from Leviathan Security in the USA. They've made the SSL/TLS flaw you've been hearing about MUCH more practical and they've written code that will let you -- yes, you -- perform a channel downgrade attack.

Adam Boileau is this week's news guest, and we're joined by Microsoft's Stuart Strathdee in this week's sponsor interview.

"Unu's blog" is back online and has claimed the high-profile scalp of a Symantec website.

The anonymous blogger, who goes by the pseudonym Unu, successfully extracted customer data including license keys, usernames and passwords from a Symantec website that "facilitates customer support for users of Symantec’s Norton-branded products in Japan and South Korea," the company acknowledged in a statement.

He or she published their findings overnight on the resurrected blog.

Overnight, Risky.Biz received an e-mail from someone claiming to be Unu. "My blog is back on Baywords," the e-mail reads. "With [a] new address and with a big article: Symantec, the creator of the famous Norton hacked with SQL injection."

Unu's blog has developed a cult following among security professionals, some of whom admire his brazen attacks and others who loathe his tactics.

The site mostly consists of a series of screen captures showing Web applications allegedly compromised by Unu.

The blog's victims have so far included bank and other high profile websites, including the Royal Bank of Scotland, HSBC France, the Italian Postal Service, Facebook and more.

Unu has already claimed the scalp of another computer security software maker, Kaspersky, publishing details of vulnerabilities in its websites.

In his or her latest posting, Unu praised Kasperky's reaction to his attack. "They quickly secured [the] vulnerable parameter, and even if at first they were very angry at me, [they] finally understood that I... saved nothing," Unu writes. "I have not abused in any way... the data found. My goal was, [and] is still, to warn. To call attention."

In the latest attack Unu says Symantec was storing user passwords in clear text.

"I was outraged when I saw... these users passwords are stored in CLEAR TEXT," the blog posting reads. "It seems quite strange how a company like Symantec, which sells software and security solutions... is not able to protect its own database."

A statement issued by Symantec says the company is "currently in the process of ensuring that the Web site is appropriately secured and will bring it back online as soon as possible".

The company did not offer further comment.

DISCLOSURE: Symantec is a sponsor of the RB2 podcast on Risky.Biz and Kaspersky has signed on as a sponsor of the Risky Business podcast, commencing in 2010.

Follow Risky Business on Twitter here.

Sign up for our weekly newsletter here.

RSS/iTunes podcast feeds are here.

This podcast features excerpts from Jose Nazario's session at the GovCERT Symposium in Rotterdam. The recording isn't fantastic, but you can understand what he's saying -- it's clear enough.

Jose works for Arbor networks and his talk at GovCERT was on BGP security -- security issues in core routing. He covers off some pretty interesting stuff, like why isn't there some sort of global route registry that actually authorises routes? Currently there's nothing like that.

If you're not into routing stuff you'll probably get lost with this one, but otherwise you'll likely enjoy it.

We've got two feature interviews in this week's show. We'll be chatting with Security-Assessment.com's Carl Purvis, who's found a way to man-in-the-middle ADSL connections by spending only $1,000 on kit. Want to own a branch office of a major corporation? No problem!

Carl's due to give a talk at the upcoming Kiwicon conference in which he'll show everyone how it's done, so the interview's a bit of a preview.

We'll also check in very briefly with Assurance.com.au's Oliver Greiter, who's been having a lot of fun with Microsoft's ActiveSync. He'll also be presenting his findings in a lightning talk at Kiwicon.

This week's episode is sponsored by Microsoft, and the company's strategic security advisor, Stuart Strathdee joins us for an interview about the company's latest Security Intelligence Report in this week's sponsor interview.

Adam Boileau is this week's news guest.

Sponsor RB's Movember Team here.

Follow RB on Twitter here.

In this podcast you'll hear a Q&A with Bruce Schneier of BT Counterpane, as moderated by Risky Business host Patrick Gray at the recent GovCERT Symposium in Rotterdam, Netherlands.

Topics covered include cloud computing, privacy, software manufacturer liability for defects, two factor authentication and more!