Podcasts

This week's feature interview is a chat with Didier Stephens about his work in bypassing Windows-based whitelists.

You can read about Didier's work here and here.

You can really lock down Windows boxes by whitelisting what can run on them. You've got SRP -- or Software Restriction Poly, and you've got the Windows 7 feature AppLocker. Primarily they're designed to stop daft employees from installing malware-laden baby name generators and stuff like that, but some administrators have found this approach is quite effective at blocking malware.

After Stuxnet came along, for example, some admins turned to AppLocker for a bit of extra comfort. But as you'll hear, if your goal is preventing custom malware from running on your system, you're about to learn that AppLocker is pretty much useless.

Didier Stephens is based in Belgium, works as a security guy in the finance industry and enjoys doing unnatural things to Windows. He joined us by phone to discuss his latest party trick.

In this week's sponsor interview we're joined by Astaro's Jack Daniel. He joins us to discuss security for small to medium businesses. It seems that half the time their paying way too much for top level advice or being fleeced by charlatans. What's some practical advice for SME businesses?

In this week's new segment Adam Boileau and Patrick Gray discuss the HBGary hack.

This week's edition of the show is brought to you by Tenable Network Security. We'll hear from Tenable's Paul Asadorian in this week's sponsor interview.

In this week's feature interview we're chatting with Immunity Inc's Bas Alberts about the security of Google's Android mobile operating system. As it turns out, Android's patching model is pretty awful.

To demonstrate the problems with Android, this week's feature guest, Bas Alberts, took a Webkit bug affecting the Chrome browser found on Android devices, attacked his boss's phone and used a garden variety Linux kernel local privilege escalation vulnerability to completely own the phone. He turned it into a video and it was uncomfortable viewing to say the least.

Bas works for Immunity Inc in the USA and joined me by phone to discuss his research and its implications.

Adam Boileau is back on deck to discuss the week's news headlines!

This is the last Risky Business podcast for 2010, and it's a cracker!

In it we take a look at three things that shaped the information security news agenda in 2010 -- Stuxnet, Wikileaks and the resulting militarisation of the Internet.

We also look back on a year of UNIX-beard-guy news with Adam Boileau.

We hope you enjoy this special edition -- we'll be back in February 2011!

On this week's show we're taking a look at a nifty little presentation by Mark Piper delivered to the recent Kiwicon conference.

Pipes is a pentester, and he's figured that around 4% of websites, globally, leak source code because they're allowing metadata from their code versioning and revision control systems to wind up on their production boxes.

Sometimes that means you can obtain source code when you're doing a black box pentest, or even if you're trying to pwn Facebook or Twitter on your own time.

Also this week, Adam Boileau joins us to discuss the week's news and Microsoft's Katie Moussouris joins us to discuss her role in drafting the ISO standard for vulnerability disclosure. That's this week's sponsor interview.

Australia's largest independent information security consultancy, Stratsec, will be acquired by British defence contractor and arms manufacturer BAE Systems.

The company operates defence-accredited facilities here in Australia, runs common criteria certification labs and employs around 60 consultants nationwide. Risky.Biz understands the announcement of the sale is imminent.

The company has been aggressively hiring new consultants all over the country since merging with a smaller infosec outfit, SIFT, in May this year.

That deal that valued SIFT at A$3.5m and the new, merged company at A$15-$20m. The BAE deal is thought to value Stratsec at the upper end of that range.

The proposed acquisition seems a sensible fit for all involved. Military contractors are increasingly ramping up their information security capabilities as government fears of "cyber war" grow to fever pitch.

And when there's a buck to be made out of war of any kind you can bet your ass there's a military contracting firm scuttling around under a nearby rock, ready and willing to take advantage.

Still, ethically speaking I'm fairly confident selling penetration tests at extortionate, military-grade prices beats manufacturing cluster bombs and using creative accounting to shift billions in profits off your books to evade tax... so who am I to complain about this wonderful new direction our industry is heading in?

What do you think? Care to comment?

On this week's show we're joined by Stephen Glass of the OP25 project.

P25, also known as Project 25 or APCO 25, is a wireless protocol used by federal, state and local agencies all over the world. It's what drives police and fire service radios, for example.

Perhaps not surprisingly there are some problems with the way p25 handles encryption. It relies on the antiquated DES standard and the key is relatively easy to brute force, for example

But there was one finding in the talk that knocked everyone's socks off. As it turns out, it's possible to remotely disable P25 radios. The operators of P25 networks can remotely brick any radio on their system. The funny part -- the genuinely hysterical part -- is that there's no authentication whatsoever on that command.

Just issue a kill command with the radio's ID in it and it's bricked, and as every transmission broadcasts each radio's ID, that's a real problem.

Also on this week's show, Symantec's Liam O'Murchu drops in to discuss his work on the Stuxnet worm -- that's this week's sponsor interview. And Adam Boileau is back in the news seat for a look at the week's news headlines.

WARNING: I didn't edit out ALL the bad language this week... missed a couple of "F-Bombs"... Just an FYI

Silvio Cesare has been on the Australian information security for yonks. He's a talented vulnerability researcher, worked as a scanner architect for Qualys back in 2002, and has generally been kicking around being a smart guy for a long time.

These days he's doing a PhD in control flow graph-based malware classification and analysis. In short it's a static-analysis based approach to malware analysis, as opposed to the traditional approach of examining byte-level content.

It has real potential to improve antivirus software and Silvio joins us to discuss his work.

This week's show is brought to you by Kaspersky Lab. Vitaly Kamlyuk of Kaspersky Lab Japan will be along to discuss security research and the law. Should researchers be allowed to shut down botnets and C&C servers legally? Currently that sort of vigilantism is forbidden, but could we all benefit from exemptions?

Brian Snow worked for the USA's National Security Agency from 1971 until a few years ago. By the time he retired from the agency he had risen through the ranks to the position of technical director, information assurance.

He's also one of Risky Business listeners' favourite guests.

This week's show features an in depth conversation with Brian about all sorts of recent trends in the information security area -- Stuxnet, technical debt, surveillance news and more.

It's a cracker interview.

This week's show is brought to you by Tenable Network Security, and that company's CSO, Marcus Ranum, will be along to give his take on Stuxnet. He says it changes nothing and is not an act of so-called cyber-war. In fact, Marcus says (quite rightly) that there's no proof whatsoever that Stuxnet was the work of a state-run agency.

Today's podcast is a special edition -- I'm basically on holidays and travelling for work for the next three weeks so there will be no news section for a little bit, but don't worry, we'll be back to regular programming in three weeks.

But until then we've got some killer interviews for you. This week you'll hear from InQTel CSO Dan Geer and McAfee CTO George Kurtz.

It's always struck me as odd that when a credit card transaction turns out to be fraudulent it's the merchant who foots the bill. It seems weird because the merchant isn't really in a position to implement the required changes to our transaction and authorisation systems that would actually cut fraud.

So is it time that we updated the liability model? McAfee CTO George Kurtz joins us with his views.

PCI DSS has been forced onto merchants to help cut down breaches, but the statistics in documents like Verizon Business's data breach investigation report prove that being compliant won't save you from being pwnz0riz3d.

But it's a massive effort, isn't it? Is the PCI DSS industry keeping valuable security professionals employed in silly jobs, chasing down XSS bugs in merchant websites? Is this really the best use of our resources? Dan Geer joins us to discuss.

This week's edition of the show is brought to you by Microsoft, and Fredrique Dennison of Microsoft Australia joins us to discuss the company's upcoming release of its Forefront security software.

Firesheep is a Firefox plugin that automates the hijacking of http sessions over unsecured wifi access points. While sites like Facebook, Twitter and so on use https to protect login credentials, after successful authentication nine times out of ten you drop back to a http session.

That means, of course, that your session cookie is flying around in plain text and your authenticated session is easily hijacked. But session hijacking has always been a wee bit fiddly... until now.

The Firesheep plugin, written by a Web app developer named Eric Butler, automates the entire process. It's pointy clicky, so all you need to do is pull into a cafe or airport with open wifi, point and click and start goatseing everyone's Facebook.

Neal Wise of Assurance.com.au in Melbourne joins me to discuss Firesheep and what it means in a Web 2.0 world.

Vitaly "The Octopus" Kamlyuk is this week's sponsor guest and we talk about Java exploitation.

Adam Boileau, as always, stops by to discuss the week's news headlines.