Podcasts

On this week's edition of the show we take a look at the security of Apple's iTunes store. If you haven't heard the news, it seems a rogue app developer was able to bill Apple customers for apps they never bought.

We'll find out just how well the Apple app store was put together in the first place when we speak with Karl Chaffey. He works for a mobile development company and put together an interesting lightning talk for last year's Kiwicon conference which was all about the iTunes store.

Also this week we'll be chatting with Veracode's director of product management Tim Jarrett in our sponsor interview. We'll be talking about how to keep things nice when you're maintaining live code... how much automated scanning should you do? How much manual testing?

Adam Boileau is the week's news guest.

US soldier Bradley Manning has been charged with disclosing classified material to whistleblower site Wikileaks.

But it's what he hasn't been charged with that's interesting.

Since the news of Manning's arrest broke there has been much speculation about the fate of 150,000 diplomatic cables the young soldier is alleged to have stolen.

However, according to the charge sheet, only 50 diplomatic cables were disclosed to an unnamed third party.

In the charge document the US government alleges Manning did "willfully communicate, deliver and transmit the cables, or cause the cables to be communicated, delivered, and transmitted, to a person not entitled to receive them".

While the charges allege Manning also stole 150,000 diplomatic cables, there's no mention of him leaking them to a "person not entitled to receive them".

This doesn't actually tell us whether or not Manning has leaked the 150,000 cables. What it does tell us is the US Military does not possess enough evidence to charge Manning with leaking that material.

Could it be that Wikileaks is sitting on those cables, withholding their publication until Manning's legal problems are over with? Or could it be that Manning was arrested before he could leak the 150,000 cables he allegedly stole?

It's impossible to say. But the omission of a charge involving the leaking of that information is certainly interesting.

Photo kiosks in Big W stores are allegedly infecting customers with USB-borne viruses.

The Windows-based Fuji photo kiosks located in the company's stores apparently don't run antivirus software, so lovely little bits of malicious software like Trojan.Poison-36 are winding up on customers' USB keys, according to Risky Business listener and blogger Morgan Storey.

On its own, an isolated incident of a photo kiosk infecting a USB device might not be newsworthy. But what makes this item stick out is Big W's reply to Morgan after he notified the company of the issue:



That's right folks, Big W, a subsidiary of Woolworths, didn't think it necessary to install antivirus on its photo printing kiosks. Sure, they're evaluating AV now, but blind Freddy could have seen this problem coming last year when the kiosks were installed.

What the hell were they thinking?

It's not just the lack of AV that's the problem. As Morgan points out it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers USB devices as read-only? Why allow the kiosks to write to them at all?

Risky.Biz has so far been unable to confirm Morgan's post with Big W. According to the company's HQ the PR guy doesn't like being phoned and only takes media requests via e-mail. Seems an odd way to conduct PR, but hey, each to their own.

Risky.Biz e-mailed a series of questions to Big W at lunchtime today but as yet they remain unanswered.

It would be interesting to find out which company -- Fuji, Big W or even some other third party -- is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning.

WARNING: This week we missed some bad language during the edit... so hide this filthy podcast from your children's innocent ears.

On this week's show we're chatting with the head of Australia's Internet Industry Association (IIA), Peter Coroneos, about the government's plan to force internet users here to use antivirus software or be kicked off the tubes!

Peter was the architect of Australia's just released voluntary code for ISPs, but he'll be along soon to talk about why he thinks regulation here is actually a BAD idea. That's coming up soon.

In this week's sponsor interview we chat with Tenable Network Security CEO Ron Gula about APTs, or Advanced Persistent Threats. Are APTs a big deal? Are they real? Is this marketing hype? What's going on?

That's this week's sponsor interview, and it's coming up later.

Adam Boileau, as always, joins the show to discuss the week's news headlines.

I've followed with great interest Wired.com's coverage of the arrest of Private Bradley Manning, the young American soldier who allegedly leaked reams of classified US military material to Wikileaks.

I've also watched in disbelief as Wikileaks has lashed out at Wired.com journalist Kevin Poulsen, suggesting he somehow acted unethically in his reporting of the arrest.

In my mind all he did was scoop other outlets with the news of Manning's troubles. That's not unethical, that's just good journalism.

The Wikileaks Twitter account disagreed, suggesting there's a "special place in hell" for journalists like Poulsen and Adrian Lamo, the one-time greyhat hacker who turned Manning in.

Wikileaks founder Julian Assange is most likely the author of those infantile tweets.

Poulsen's reporting was excellent. My guess is Assange just didn't like the story. But instead of turning the other cheek, Wired.com has apparently fired back.

This piece by the Website's journalist Ryan Singel -- it would look bad if penned by Poulsen, after all -- breaks the news of Wikileaks apparently broken submission process.

While unquestionably newsworthy, the article reads like a classic attack piece, dripping with sarcasm. It's mocking.

In my view it is intended, clearly, to go beyond describing the broken submission process and portray Wikileaks as an unprofessional organisation undeserving of the "mostly-laudatory media portraying Wikileaks as a fearless, unstoppable outlet for documents that embarrass corporations and overbearing governments".

My guess is if Wikileaks is indeed sitting on 260,000 leaked diplomatic cables that describe, in painstaking detail, every example of skulduggery the US government has inflicted upon the Middle East in the last decade, a broken SSL cert is probably the last thing on its mind.

They might be more worried about, you know, the CIA death squads on their ass.

If Wired wants to hold the high ground in this little pissing contest it needs to be much more careful. The article makes no mention of the spat between Wired.com and Wikileaks and that's a big pile-o-fail, right there. That sort of thing needs to be disclosed to readers.

While we might expect this sort of behaviour from a pseudo-activist organisation like Wikileaks, we deserve better from a professional media organisation.

As for Wikileaks, keep 'dem docs coming.

We'll ignore your ridiculously biased contextualising of leaks if you keep giving us unedited source material.

You're not a professional news organisation that needs to be held to the same standard as Wired. Be as infantile as you want on Twitter.

(Wikileaks has denied the Wired story, saying its submission process is being upgraded to "deal with growth".)

Click here to listen to Risky.Biz's interview with former grey-hat hacker Adrian Lamo about his decision to turn in Manning.

What do you think? Comment below.

In this week's show we have a chat with iDefense threat analyst Kimberly Zenz.

Apparently Russian cybercrooks love to use ICQ, so US-based investigators are worried about the planned sale of ICQ to a Russia-based company called Digital Sky.

Kimberly's specialty is the Russian cybercrime scene, and apparently this mooted sale is interesting for a number of reasons. She joins the show to explain!

Adam Boileau is this week's news guest, and Vitaly Kamlyuk of Kaspersky Labs is this week's sponsor guest. In it we discuss the number of malware samples with valid authenticode signatures that are popping up.

With a system this loose is there actually a point to signing code?

On this week's show we take a look at Australia's CERT wars. The Australian government has more or less declared AusCERT dead. It says its new group, CERT Australia, which is run out of the Attorney General's Department, will act as the sole point of contact for organisations in Australia when seeking CERT services or coordination.

AusCERT doesn't see it that way. Its general manager, Graham Ingram, fronts this week's program to claim it's business as usual for the member-funded NGO. We also have a chat with our secret squirrel, an anonymous source close to the war.

Mark Dowd is this week's news guest, filling in for Adam Boileau this week. Adam's off presenting at Syscan in Singapore, but he'll be back on deck next week.

In this week's sponsor interview we speak with Check Point's Engineering Services Manager Aviv Abramovich about using logging as a deterrent to data theft.

In this week's feature interview we chat with Adrian Lamo. Best known as the "homeless hacker," Lamo is in the news again over his decision to inform on US Army Specialist Bradley Manning, the alleged leaker of the so-called "Collateral Murder" video published by Wikileaks in April.

Manning is now in detention in Kuwait. We ask Lamo why he turned him in.

Also this week, Veracode co-founder and chief scientist Christien Rioux joins the show to talk about some fresh approaches to information security and cloud computing in our sponsor interview. Sounds boring. Isn't.

Adam Boileau, of course, joins us to discuss the week's news.

On this week's show we take a look at reports that Google is set to banish Microsoft Windows from its operating system over security concerns.

The tech giant says running Windows is just too risky. Google was, after all, famously owned in the Aurora incident through holes in Internet Explorer 6.

But our guest this week, Neohapsis CTO Greg Shipley, says getting owned by a hole in a nine year old browser is probably a sign that your desktop management is the problem, not the platform you've chosen.

Also this week, Marcus Ranum joins us to talk about what he describes ad the non-existent meme that is "Cyberwar". That's this week's sponsor interview.

Adam Boileau, as always, checks in to discuss the week's news.

RB2 is brought to you exclusively by Symantec.

Mobile security is all the rage these days, so when Research In Motion (RIM) VP of security Scott Totzke came to Australia a few weeks ago, we made sure we got an interview.

RIM is the company that makes the Blackberry. While it doesn't have as many cool points as the iPhone, the Blackberry has become the mobile workhorse of the modern enterprise. US President Barack Obama famously insisted on keeping his Blackberry when he came to office, so obviously anything Scott has to say about mobile security deserves to be heard.

I spoke to him by phone a couple of weeks ago.