Podcasts

You're about to hear a presentation by Jason Larsen, a security researcher at the Idaho National Laboratory. The INL is run by the US Department of Energy and is home to the National SCADA Testbed (NSTB) and the Industrial Control System CERT(ICS-CERT).

I'm going to read from his talk synopsis here: The first half of Jason's presentation will be an overview and update on what's happening in control. In most cases, simply sending properly formatted commands to the field equipment is enough, but there are cases when this does not achieve the attacker's goals. If the field equipment contains sanity checks, the attacker needs sub-second control, or if he simply wants to hide, he will invade the field equipment. Understanding the challenges the attacker faces are essential for any sort of investigative or forensics effort. The second part of the presentation will cover attack and forensics of the embedded systems used in industrial control systems.

We were a couple of minutes late plugging into the desk, so we'll pick up Jason's talk just a few minutes in.

You're about to hear an excerpt from the opening keynote from the AusCERT conference by comedian Bennett Arron.

Several years ago Bennett Arron was in serious debt. He owed thousands of pounds to mobile phone companies, catalogues and department stores. But it wasn't him! As it turned out, he was a victim of Identity Theft.

Years later, he wound up writing a comedy show about his experience... he eventually directed and presented a Documentary for Channel 4 called How To Steal An Identity.

In it he actually stole the identity of the then Home Secretary, Charles Clarke.

He was arrested over it, but you'll be pleased to know he was never convicted.

Anyway, Bennett was kind enough to allow Risky Business to play an excerpt from his talk. The whole thing is about an hour long and very entertaining... so obviously you should book him for your next exotically-located conference and or event. Big thanks to Bennett for allowing us to play this chunk of his talk.

In this interview we're chatting with Wade Alcorn. By day he's NGS Security's general manager for Asia Pacific, but by night he's out there maintaining BeEF -- the browser exploitation framework.

If you haven't heard of beef it's a very cool tool. If you can get someone to load it into your browser, either by them visiting a site you control directly, or alternatively through some sort of cross site scripting bug, then you can get the browser to do all sorts of stuff for you -- like portscan the victim's LAN, attack JBOss servers and stuff like that.

I caught up with Wade and asked him to tell us all about BeEF and what's the latest. With beef. Here's the beef.

This week's show was cut together from Johannesburg, South Africa!

In it we discuss Google's latest bug bounty initiative -- they're not just offering cash for bugs in software products, these days they're also offering cash for bugs in their online properties. Got an auth bypass for Gmail? Ka-ching!

This week's show is brought to you by Astaro. Jack Daniel of Astaro joins us to talk about restricting certain content types from SOEs. Do we really need Flash in our operating environments anymore? Can we just drop it and gain some security?

Adam Boileau drops in, as always, to discuss the week's news headlines.

This week's show is a bit shorter than usual. We'll check in with Adam Boileau to discuss the week's news headlines and catch up with Tenable Network Security CEO Ron Gula in this week's sponsor interview.

Between those two we cover the Playstation Network hack, the kidnapping of Ivan Kaspersky, Microsoft's decision to coordinate the disclosure of vulnerabilities in non-MS products and much, much more!

On this week's show we're taking a look at Verizon Business Security Solutions' annual Data Breach Investigation Report. We'll be joined by both Bryan Sartin for a global perspective on the report, and by his Australian counterpart Mark Goudie, who'll give us a local perspective.

You can have a squiz at the report here.

This week's show is brought to you by NetWitness, and in this week's sponsor interview we're chatting with Shawn Carpenter about just how hip post-compromise detection is becoming.

Adam Boileau, as usual, stops by for the week's news headlines.

This is something I haven't seen picked up much by the tech press writ large: Invisible Things Lab, headed by Joanna Rutkowska, has released a new Linux distro called Qubes.

UPDATE: Qubes has been around in alpha form for a bit, but this is the first beta release...

It uses hypervisor partitioning to give you that warm, fuzzy feeling that comes with operating in a virtualised environment. Heise Online has a nice little writeup here and you can find the beta here.

This is a really interesting release. If this OS turns out to be workable I suspect major software developers will take a bit of notice. I've been prattling on about the need for desktop operating systems to make use of virtualisation for greater security for yonks. Now we get to see what that looks like.

If you've had a play with it, let me know what you think.

This week's show is a doozie!

We're joined by Brian Snow to discuss risk-based security. Brian, who was the technical director of information assurance for the NSA in the US, recently contributed to a security review of US Department of Energy Nuclear Weapons Facilities. (You can download the unclassified version of the report here for free with registration.)

The review sought to understand if Probabilistic Risk Assessment (PRA) methodologies could be used to improve the cost effectiveness of the DoE's security.

The review found that PRA is, in fact, not suited to managing risk in malicious environments. It's great for modelling likely failures of power supplies in data centres, but not so good at modelling attack scenarios.

Basically it boils down to the fact that it's impossible to assign a likelihood to an unknown attack.

So how on earth did risk-based security become the "standard" way of doing things in the enterprise? What use is a risk register if high-impact, low-likelihood adverse events can't be reliably quantified?

Brian joins us to discuss. It's a corker interview.

Adam Boileau joins the show for this week's news. He seems especially keen to sing CA's praises this week. Metstorm <3's CA. He even has CA pyjamas. I've seen them.

Risky Business has been judged Australia's Best Technology Audio Program for a second year in a row.

The Lizzies, Australia's awards for technology journalism, are run by media services company MediaConnect, with each gong judged by a panel of three technology journalists.

Risky.Biz edged out entries from Sydney-based radio station 2GB, CNet/ZDNet and others.

Big thanks to the listeners, sponsors, guests and everyone who's helped out since the podcast launched back in early 2007.

Episode 190 of the Risky Business podcast is brought to you by our good buddies at Astaro.

Astaro's Jack Daniel joins us in this week's sponsor interview to talk about the evolution of firewalls. We try to predict what they're going to look like, five or ten years out. No surprises for guessing convergence is going to be a big thing.

In this week's feature interview we chat with Kowsik Guruswamy of muDynamics about a project his company kicked off called pcapr.net

It's an online archive of packet captures/traces with 60 million packets archived and 5200 members contributing. It's a great project and I'm surprised more people in the infosec community haven't heard of it.

As always, Adam Boileau stops in for a check of the week's news.