Podcasts

In today's podcast you'll hear Risky.Biz's New Zealand correspondent Paul Craig discussing Red Team testing with Chris Nickerson. A Red Team test involves more than just a standard pen test, it's an outright simulated attack. You'll hear Chris speak of crawling through ceilings to get to data centres, stealing trade secrets -- actual documents -- and even having his nose smashed in by an overly enthusiastic security guard.

Paul did this interview at BruCon, a security conference in Brussels, the lucky bastard, and we'll pick up the conversation here where Chris is talking about what sort of stuff he sets out to steal when he's scoping out a Red Team exercise.

On this week's show we'll be chatting with Stratsec's Chief Technology guy Nick Ellsmore about bank fraud liability. A couple in the USA who fell victim to a phishing scam are suing their bank to get their money back. Nick's not a lawyer, but he's one of those guys who follows the law as it relates to security very, very closely, so he'll be on the show to talk about that.

We'll also check in with the head of Australia's domain name regulator auDA, Chris Disspain. A couple of years ago an Australian domain name registrar, Bottle Domains, had its credit card database walked out through the perimeter. That's lead to auDA taking court action and by the looks of things it's set to drag out a bit longer.

In this week's sponsor interview we're joined by Microsoft's Stuart Strathdee. That one's a bit of a mixed chat about all sorts of stuff. We're talking all things Microsoft. And there's been a lot of MS-related news of late.

Adam Boileau is this week's news guest.

[MINOR CORRECTION: It's mentioned in the show that it's rare for a TLD regulator to take action against registrars. Risky.Biz is told that is not the case.]

Domain name regulator auDA moved to terminate Bottle Domains' registrar agreement when it was revealed the company's customer database had been hacked and offered for sale in a black market forum. "Under the terms of the registrar agreement with us they are obliged to inform us of any security breach," auDA CEO Chris Disspain told Risky.Biz in a podcast interview. (Click to hear the full interview.) "That did not happen."

The loss of accreditation would have seen the company stripped of the right to conduct business as a domain name registrar. The domain names of its existing clients would be transferred to auDA itself, which would have acted as an interim registrar.

"[The judge] has stayed those orders for a period of time to allow Bottle to go to the court of appeal and apply... for an injunction pending the hearing of a full appeal," Disspain said.

You can find Risky Business on Twitter here.

Sign up to our weekly newsletter here.

On this week's show we'll be taking a look at the disclosure of security vulnerabilities in Web applications.

An interesting blog has recently popped up here. If you visit (at your own risk), what you'll see there is basically nothing but screen caps of owned Web applications. They're big targets, too.

We're talking about Facebook, RBS WorldPay, that sort of thing. Browsing through that blog is a very diverting 20 minutes.

Is owning sites and posting the results like this unethical? We thought we'd ask our guest Adam Pointon. He's a CSO for a financial services company that operates a very complicated web application for tens of thousands of users.

We'll also be chatting with our sponsor guest Paul Asadoorian this week. Paul is the co-host of the PaulDotCom Security Weekly podcast. When he's not in front of a microphone, Paul's out there being Tenable Network Security's evangelist. This week we're chatting with him about some interesting research the SANS Institute has released which revealed which weaknesses in corporate security are actually doing the most damage.

This week's special news guest is Munir Kotadia.

Risky.Biz has been asked to help a well respected security company find a new penetration tester in Melbourne. E-mail jobs at risky dot biz for more information. Details are in the show... if you're not interested, put someone forward for a $1,000 finder's fee.

You can find Risky Business on Twitter here.

Sign up to our weekly newsletter here.

Risky Business 2 is sponsored exclusively by Symantec.

In this edition of the show we're taking a look at Microsoft's Office 2010.

Last week I headed to Microsoft's Tech Ed conference on the Gold Coast and caught up with Reed Shaffner, a product manager with the Office team, to chat about the security features in Office 2010.

The company has put a lot of work into making sure the types of attacks that have plagued its office suite over the last few years will be a thing of the past. Will these new measures succeed?

Subscribe to the Risky Business newsletter here.

Risky Business on Twitter!

This week's edition of Risky Business is brought to you by the fine folks at Sophos, the makers of all types of security software and the employer many, many smart cookies.

This week's show is a bit of a mixed bag. We'll of course be checking in with our buddy Adam Boileau to discuss the week's news headlines, then we'll be having a chat with journalist Cameron Stewart. He works for The Australian, a Murdoch-owned newspaper, and he's written a series of articles alleging Australia's spy agency ASIO has been called in to investigate Chinese networking equipment manufacturer Huawei over alleged links to Chinese intelligence organisations.

Interesting stuff to say the least.

Then we're going all Mac on you. We'll be chatting to Brett Olsen, who's been doing some interesting work in looking at the privacy implications of some iPhone applications. Yes, I know iPhone stuff has been done to death, but Olsen's i-phone-home project could be a preview of things to come across the whole mobile computing space.

Then of course we'll be chatting with Sean Richmond of Sophos in this week's sponsor interview. He'll be giving us a vendor take on Apple's decision to build some rudimentary AV into its operating system.

Sign up to the Risky.Biz newsletter here.

While the bug allows remote code execution several versions of Windows, including Vista and Server 2008, its impact on Windows 2000 is limited to causing a denial of service.

Let's hope it's not one of those Denial of Service bugs that turns out to be quite serious later.

The bug appears to be some sort of TCP/IP stack problem -- discovered by the late Jack C. Louis -- which allows attackers with the ability to connect to any port to run code or DoS the target, depending on the version of Windows.

It's a bad one.

It's especially bad if you're running legacy applications on Windows 2000. The only mitigation for this thing is a properly configured firewall that cleans TCP window sizes (cleans Windows' windows, hur hur) in front of the Windows 2000 host.

Here's the relevant bit of the advisory:

"The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system."

Windows 2000 support was to continue until July next year.

This week's episode is sponsored by Check Point software.

On this week's show we're chatting to Alastair MacGibbon of Surete Group. He was the Australian Federal Police Agent who established the multi-jurisdictional Australian High Tech Crime Centre back in 2003. He was with the AFP for 15 years and spent the majority of his policing career working in drug enforcement. That included investigating criminal drug syndicates.

He'll be along this week to dispel some of the current theories doing the rounds about online criminal activity.

We'll also be joined by Check Point's Fred Borjesson to discuss hardcore, customised malware: memory scrapers, rootkits and other stuff the hardcore bad guys use to exfiltrate card data from compromised organisations. It's virtually impossible to detect because, well, it's not widely distributed like most malware -- this is hardcore stuff for hardcore people. That's this week's sponsor interview.

We also discuss the week's news with Adam Boileau.

Risky Business two is brought to you exclusively by Symantec, so big thanks to the team over there for making this podcast possible!

In this week's special interview you'll hear Paul Craig discussing Web application vulnerability chaining with Mark "Pipes" Piper. Chaining is basically combining a whole bunch of trivial bugs into something quite critical.

Paul did this interview at New Zealand's OWASP day.

It makes for pretty interesting reading. There are 211 exploits on the list, with 117 of them described as confirmed 0day.

You can find the list here.

As far as Risky.Biz is aware, these guys do not contact vendors and give them details on 0day they acquire. While to most that would seem the right thing to do, it's directly opposed to InteVyDis' commercial interests.

A fixed bug is a dead bug. Why slash the value of your own product?

We would love to hear from readers on this in the forums. Do you think a business model that involves selling 0day without notifying vendors is inherently immoral?