Podcasts

This week's feature guest is the creator of the iPhone worm, Ashley Towns, aka Ikee. This guy is either a cheeky kid or a cyber terrorist, depending on who you ask, and yup -- we've got him on the show.

We also check in with Paul Ducklin of Sophos in this week's sponsor interview. You've never heard two interviews that clash more, it's hilarious.

In one corner is the heavily pierced kid from Wollongong with the funny haircut, in the other is the middle aged AV guy who's a real stickler for the rules.

It's the naughty kid versus the school principal, both interviewed about the same series of events.

We're also joined by Adam Boileau for a discussion of the week's news.

"Unu's blog", a website chronicling one hacker's brazen compromises of high-profile web applications, has been yanked offline.

Visitors to the blog are now shown text suggesting Unu has shut up shop voluntarily. "This user has elected to delete their account and the content is no longer available," is the only explanation offered.

Unu's blog mostly consisted of a series of screen captures showing allegedly compromised Web applications. The blog's victims included bank and other high profile Web sites, including the Royal Bank of Scotland, HSBC France, the Italian Postal Service, Facebook and more.

Prior to hosting at BayWords, Unu's blog was hosted by Wordpress.com, until it was apparently pulled down after the blogger posted details of a vulnerability in a Yahoo site.

Most recently Unu made waves by claiming to have hacked BarackObama.com, a claim disputed by the Democratic National Committee's national press secretary Hari Sevugan.

While the actions of the blog author, if proved authentic would clearly be illegal, the Web site attracted a significant following -- and a modicum of privately expressed respect -- among many IT security professionals.

While Unu's motives were never expressly outlined, many assume the blog served to name and shame large organisations that failed to secure their web applications.

Follow Risky.Biz on Twitter here.

Sign up for a Risky.Biz account here to receive a weekly newsletter and join our forums!

This week's show is sponsored by the wonderful people from Tenable Network Security.

This week's feature interview is with Chris Disspain, the CEO of Australia's domain name regulator auDA.

This week we're discussing the move to Cyrillic domain names -- some media commentators have gone a bit berserk on this one, saying that the move will introduce massive risks because people will be able to do phishing campaigns with domains made up partially of Cyrillic characters.

Chris will be along to talk about why he thinks that's wrong.

We're also joined by Tenable Network Security's CEO Ron Gula in this week's sponsor interview. Ron gives us his take on Rapid7's acquisition of Metasploit.

Adam Boileau also pops in for a look at the week's news headlines.

PLEASE NOTE: We're having some technical problems with the site and the flash player below doesn't work at the moment. Just use the direct download link or pull the file through your podcatcher/iTunes... sorry for the inconvenience!

In this sponsored podcast, Risky.Biz chats with Symantec's Kevin Haley about rogue AV. More specifically, how can we measure the extent of the rogue AV problem? How can we know how much money is involved, and what can be done to shut down this nasty trade?

This week's podcast is hosted by Vigabyte virtual hosting but sponsored by Check Point.

On this week's show we're taking a look at smart metering. It's all the rage these days -- it will usher in an era of automated billing for electricity, gas and water as well as letting the utilities companies do all sorts of intelligent grid management stuff. Utilities across Australia and indeed throughout the world are rolling this technology out as we speak.

But as you'll hear, there are opposing views on whether or not this stuff is ready for roll out.

Could a smart meter worm that can shut down whole cities be on the horizon? It sounds a bit extreme, but that's one concern Professor Bart Jacobs of Radboud University in the Netherlands highlights. We'll hear from him later.

We'll also hear from Logica's smart metering security expert Karl Dawson. He has extensive experience working with utilities on this sort of thing and says it can be done securely, if it's done right and monitored properly.

In this week's sponsor interview we'll be chatting with Steve MacDonald from Check Point. He's Check Point's engineering services manager here in Australia which means he spends a lot of time with big, big companies dealing with their issues. This week we're chatting to Steve about some of the more idiotic things he's seen customers do. Allow ANY blanket firewall rules anyone?

Risky Business 2 is brought to you by Symantec and hosted by Vigabyte virtual hosting!

In this podcast you'll hear our roving reporter Paul Craig interviewing a couple of presenters from BruCon, Belgium's security conference.

In the first interview, Paul chats to Stephan Chenette of Websense about script fragmentation, a concept that's a bit similar to TCP fragmentation for IDS evasion.

Interview number two is about advanced SQL injection attacks, with Gotham Digital Science's Justin Clarke.

This week's edition of Risky Business is brought to you by Sophos.

And what a show it is! We've got the exclusive podcast interview with HD Moore, who fills us in on the acquisition of the Metasploit project by Rapid7.

Now, before you GPL freaks run to the shed to dig out the pitchforks and flaming torches, you should hear this interview. The way HD describes it, this acquisition is about the best thing that could have happened to Metasploit.

Rapid7's director of products and operations, Corey Thomas, also joins the show with some soothing words for anyone with concerns about the acquisition.

We're also joined this week by Adam Boileau, who discusses the week's news headlines, and Paul Ducklin of Sophos joins us for the week's sponsor interview.

Subscribe to the Risky Business podcast here.

Follow Risky Business on Twitter here.

Sign up for a forum account and our weekly newsletter here.

...or leave us a voicemail on Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

The Metasploit project has been acquired by Rapid7, a US-based vulnerability management company.

Metasploit creator H D Moore confirmed the sale in a podcast interview with Risky.Biz overnight (Click to hear the podcast). "This is more of a buy in than a sell out," he told Risky.Biz "It's about taking Metasploit to the next level with a real company with real funding."

Eager to put open source enthusiasts' minds at ease, Moore told Risky.Biz the acquisition will result in full time resources being allocated to the Metasploit project. Rapid7 will fund five full time developers to work on the project and Moore insists all core software developed by the new, full time team will remain free and open source.

"Nothing that people are using today is going away," he said. " I'm definitely in it for the long haul."

Rapid7 director of products and operations, Corey Thomas, insists the company is committed to the future of Metasploit as an open source project. He says the acquisition seemed a natural progression following partnership and integration discussions with Moore.

"We [already had] two or three developers who contribute to Metasploit," he said. "After a period of time we decided the best way to go was to make a direct investment and fully sponsor the Metasploit project."

Originally released in 2003, Metasploit allows security professionals to rapidly develop exploits for computer vulnerabilities. Initially regarded as controversial, Metasploit has become a staple tool for penetration testers and other technical security professionals.

To hear H D Moore and Corey Thomas discuss the acquisition, listen to Risky Business episode 128 here.

Subscribe to the Risky Business podcast here.

Follow Risky Business on Twitter here.

Sign up for a forum account and our weekly newsletter here.

...or leave us a voicemail on Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

This week's show features an excerpt from David Rice's plenary speech at the GovCERT Symposium in Rotterdam, The Netherlands.

In his talk, David asks what the security business could learn from pasta sauce, Diet Pepsi and food science in general. It's a bit out there, but it's well worth a listen.

You'll also hear from Microsoft Australia's Andrew Parsons about a couple of programs Microsoft is running that involve giving away an absolute tonne of expensive software to students and start-ups. It's not a security related interview, but hey, the programs are pretty interesting and worth featuring.

There's no news guest this week -- I'm still travelling back to Australia from Europe. It's a long way. No, really... It's far.

But we'll be back to regular programming next week.

This week's show is a bit of a special edition, prepared at the GovCERT.nl Symposium at the World Trade Centre in Rotterdam, Netherlands.

This isn't a regular edition of the show, so sadly we will not be joined by our regular news guest Adam Boileau for our weekly news segment. Instead, we'll be having a chat with Neohapsis CTO Greg Shipley, who's also here to give his own talk at GovCERT.nl.

Greg's firm actually did some of the forensics work on one of the organisations allegedly attacked by Alberto Gonzalez, the Internet super-villain. If you've been in a cave for the last few months, Gonzalez is the guy who's suspected of stealing up to 135 million credit card numbers over several years... and he's now in prison as a result.

Greg's and I discussed how these sorts of breaches could actually happen in organisations that actually pay attention to their security.

In this week's sponsor interview, Check Point's Engineering Services Manager Steve MacDonald will be along to have a talk about a recent report -- one that we mentioned on last week's show -- that claimed up to nine percent of corporate machines are actually infected with custom-designed malware.

Working for Check Point, Steve has a lot of exposure to large corporate clients, and depressingly, says the report is entirely plausible.