Podcasts

In this presentation from New Zealand's OWASP day, you'll hear Lateral Security's Nick Von Dadelszen describe testing methods for Web services.

Unfortunately he does some demonstrations that don't really translate well via audio, but if this is already an area of interest to you, then you'll still find it valuable.

In this interview, you'll hear Risky.Biz's New Zealand correspondent Paul Craig discuss Web services security with Lateral Security's Nick Von Dadelszen.

We all hear a lot of talk about web application vulnerabilities, and not much at all about web services problems. The result is a lot of web services are wide open.

Readers of the Risky.Biz website would have heard by now that McAfee accidentally leaked the full contact information of 1400 registrants for its strategic security summit that was held in Sydney on July 17.

McAfee's Asia Pacific President Steve Redman is this week's feature guest -- he joined the program to face the music for that one.

We've also got a sponsor interview with Microsoft's Stuart Strathdee in this week's show. We ask Stuart why Microsoft's free security software won't be available to systems that fail windows genuine advantage tests, as well as chatting about mobile security in light of the recently discovered Symbian botnet.

Adam Boileau joins us to discuss the week's news, and we can assure you there was lots of it!

The marketing spreadsheet contained the full names, titles, organisation names, phone numbers and e-mail addresses of all who had registered for or attended the company's recent Strategic Security Summit on July 17 in Sydney.

"We did have a human error where the seminar contact list was attached to a promotional e-mail that was sent to... we don't know how many of the delegates," McAfee's Asia Pacific President, Steve Redman, told Risky.Biz by phone. "The important thing to note is this was not financial information, not mission critical information, it was a contact list."

The list was mostly comprised of the details of in-house IT security professionals for Australian organisations. It included the details of those who had attended, those who registered but never showed up, and those who walked in without registering.

The company tried recalling the message after it accidentally leaked, and subsequently sent an e-mail asking those who may have received it to delete the contact list.

As such, Redman says the company will not be contacting everyone on the marketing list to inform them of the leak. "We don't know whether all those people deleted it," he says. "If 50 people got our list... and then we asked them all to delete it and they did, then the information's not out there."

Risky.Biz has sighted the list -- which contains comprehensive contact details for security professionals from banking institutions, government departments and other large enterprises -- throwing doubt on Redman's hopes the list has been deleted.

Chris Gatford, director of HackLabs attended the event and was alarmed when he learned of the leak. "It contained my registration information," he says. "I am not happy about it sitting in unknown hands."

He says he's surprised McAfee would be so careless with what he describes as sensitive information. He also disputes Redman's assertion the leak is trivial because it is a mere contact list.

"I am sure [McAfee's] competitors would be very excited to have this fall into their inbox," he says. "[And] that list would be great to attack as it is a who's who of the security gatekeepers of Australia's largest organisations."

Want more exclusive security news? Sign up for our weekly newsletter here. Create an account to post to our forums!

This week's show is hosted by Vigabyte and sponsored by Sophos. You'll hear from Sophos's Paul Ducklin later on in the show in this week's sponsor interview.

This week's feature interview is with Chris Eng of Veracode, and we'll be chatting about his analysis of a nasty bit of blackberry spyware that was pushed out to all blackberry users on UAE-based carrier Etisalat.

And of course we're joined by Adam Boileau for a discussion of the week's news.

This is the final of our podcast series recorded at Shaka Con. From next week on RB2 you'll hear reports prepared by our roving reporter Paul Craig on location at New Zealand's OWASP day.

Shaka Con is a hacker conference held annually in Honalulu, Hawaii, and as you'll hear, the conference didn't limit itself to digital security. Lock picking aficionado Deviant Ollam was there to give a talk all about locks and curiously, how to fly with locked luggage.

If you've travelled within the USA you may have opened up your bags one day to find a friendly note from the TSA telling you they have searched your bag for your safety.

Well, as it turns out, there's a way to legally fly with a locked bag. It involves flying with firearms. Only in America, folks.

Risky.Biz's own Paul Craig caught up with Deviant at Shaka Con and filed this interview.

The website has finally blocked private rental listings in order to stamp out fraudulent listings that have fleeced its unsuspecting customers for thousands over several months. It's something, but it's way too late. This is what the company should have done in May when it first got wind of the problem.

Instead, it tried to spin its way out of trouble, enlisting the help of PR company Red Agency to handle this Website's enquiries.

Domain.com.au refused interviews. Domain.com.au knew its customers were losing money to criminals. Domain.com.au chose to do virtually nothing to stop it.

In response to these Risky.Biz articles that first exposed the fraudulent activity in May and June (1 and 2), Risky.Biz received an oh-so-chirpy e-mail from Red Agency on June 19. It informed Risky HQ that a "new security policy, accessible through various links on the site," had been written and published!

What a relief! Problem solved!

Not only that, but the company had used the most advanced "hyperlinking technology" through some new-fangled thing called HTML to link users to the fraud-defeating, magic security policy. I mean, wouldn't YOU click on a link to a security policy that was presented to you in eight-point font on a contact form?

Domain also wrote a blog post warning its users about fraud and ran it on the Domain.com.au blog. Here's a fun game: see if you can find it.

One thing we could certainly find were the graphics on the front pages of The Age and Sydney Morning Herald online that screamed words to the effect of "Apply for rental properties online now on Domain.com.au!". These were running the day the blog post went up. How deliciously ironic.

The Age and SMH are owned by Fairfax, which also owns Domain.

The thing that really cracks us up here at Risky.Biz is this excerpt from the SMH article we linked to in the first paragraph:

The general manager of key categories, Tony Blamey, said the company received reports of the scam in the past two weeks.

Sorry Tony, but we're calling bullshit on that one. Domain has known about this since mid May at the latest.

The new package, nmap 5.0, includes Ncat, billed as a "a much more advanced and modern reimplementation of the beloved Netcat". Also included is Ndiff, which is designed to portscan networks and alert administrators to changes.

Lyon decided on a "surprise release" of the new nmap network scanner to avoid deadline pressure. "It is very hard to predict software release dates, especially open source," he told Risky.Biz before the launch. "So rather than keep giving dates and missing them, I just keep my mouth shut and then release suddenly when it is ready."

The new and improved tool had been through an extensive beta phase before the final release hit the nmap website at 9am Pacific time in the USA.

"Really, when you get into the double digits with your beta release counts, that's a good sign to say maybe you should release a non-beta version," Lyon says. "Otherwise you end up in perpetual beta like Google."

The new version is available here.

Adam Pointon, a Melbourne-based CSO and former penetration tester, was given the opportunity to preview the new nmap. "Ncat is sweet... I'm going to alias nc to ncat," Pointon says. "With most systems using or enabling IPv6 these days, it fills the gap in the toolset... and will replace the need for multiple tools working together, such as netcat, zebedee, stunnel or s_client."

The connection-brokering and I/O redirection features make it even richer, and innovative in IPv6 land, Pointon added.

Nmap was first released in 1997 and has become the de facto standard port scanning utility for penetration testers and network administrators.

It's also cracked Hollywood. During a scene in The Matrix Reloaded the movie's character Trinity is shown using the software while hacking into a power station's control systems.

Want more exclusive security news? Sign up for our weekly newsletter here. Create an account to post to our forums!

On this week's show we're joined by semi regular guest Adam Pointon. Adam's the CSO for a financial services company, so he has a fair bit of insight into both security technology and market-based technology. You may have heard by now that investment bank Goldman Sachs has claimed its trading algorithm has been stolen by one of its developers. Why is this a big deal? How would possession of that algorithm be advantageous to an attacker? Adam joins the show to tell us.

We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as you'll hear.

We have a special news guest this week, too -- iDefense cybercrime analyst Kimberly Zenz.

F-secure flew its chief research officer, Mikko Hypponen, out to Australia last week to meet the press. The company hosted an event -- the F-Secure Future of the Digital Economy Forum -- and invited a bunch of very interesting panellists to discuss the state of information security today. They asked Risky Business to moderate and record the session.

The panellists were:

• Mikko Hypponen, chief research officer, F-Secure
• Graham Ingram, managing director of AusCERT
• Neil Gaughan, national manager of the Australian Federal Police's High Tech Crime Operations
• Nick Abrahams, national leader of Deacons' technology, media & telecommunications group
• Michael Lonie, policy manager for the Australian Retailers Association
• Crispin Tristram, consumer online general manager for Singtel Optus

In the interests of disclosure, Risky Business was paid to moderate and record this event.

It was a genuinely interesting discussion, and we're podcasting the whole thing, more or less unedited. So here it is -- last Wednesday's F-Secure future of the digital economy forum, held at the ocean room at Sydney's overseas passenger terminal at Circular Quay West. Enjoy.