Risky Business Podcast

On this week's show we take an axe to all the crazy hype around BlueBox's Android research. It's been a shameful, shameful week for the tech media. I half expected to walk outside this week and find crowds of consumers holding pitchforks and burning their Android devices based on the headlines we've been seeing about 99% of all 'droid devices being open to attack!

As you'll hear in this week's interview with Justin Case (jcase), the research is cool -- it's a code signing check bypass for android install packages -- but you can put down the matches and the lighter fluid. It's not that bad.

In this week's sponsor interview we continue the conversation about code signing with Brad Arkin, the CSO of Adobe. Adobe itself had some trouble with an attacker compromising its systems and signing malware with its HSM. Last week, as you would have heard, someone managed to do the same thing at Opera, only that case was worse because they also jacked the browser's update boxes for a short time and served up bogus patches.

Last time Brad was on the show he was the head of security and privacy at Adobe so handling the operational security and code signing wasn't actually his responsibility. But it is now so he's been doing some thinking.

What do these recent developments tell us about distributed trust models for code signing? Are desktop OS's moving towards the mobile app signing model that has worked so spectacularly well for Apple? Well, Brad says they are, with caveats.

Adam Boileau, as usual, joins the show to discuss the week's news headlines. Show notes are here.

We've got a great show for you this week. Mark Dowd of Azimuth Security pops in to talk about the bugs he found in libraries used by secure telephony providers like Silent Circle. They're serious, serious bugs, and they were easy to find.

Also this week we talk to Les Goldsmith of ESD America. ESD is a pretty interesting outfit. They sell the German-developed GSMK Cryptophone, a product that has been around for a very, very long time and is mostly used by militaries and police. They also sell counter surveillance training, bug sweeping gear, armoured vehicles, tactical training and explosives detection dogs, but hey, today we're focussing on the electronic stuff.

We get Les's reaction to the news that the US has been bugging the offices of the European Union, the Ecuadorian embassy and, well, pretty much everyone all the time. He's got some really interesting perspectives on that.

In this week's sponsor interview we chat with Chris Gatford about these awful, awful IPMI vulnerabilities. The Intelligent Platform Management Interface turns out to be anything but! If you haven't heard, it turns out there are serious, protocol-level design flaws in IPMI which are going to make life tough for anyone who's actually using it. it's the sort of thing that will take a long time to truly fix, too.

This week's show is a bit shorter than usual. We've got a discussion of the week's news then a great chat with Brian Contos, the VP and CISO of Blue Coat Systems Advanced Threat Protection Group.

It's this week's sponsor interview and we'll be chatting about whether or not cyber warfare is really asymmetrical. It's the accepted wisdom that it is, but I gotta say, when we look at who's using it -- the US and Israel against Iran and Syria, Russia versus Estonia -- it looks to me like it's something used by the big guys to smash the little guys. Brian disagrees, so it's a nice lively discussion and it's coming up after the news.

In this week's show we talk opsec with international man of mystery The Grugq. In light of revelations the Internet lounge at the G20 summit was essentially an intelligence collection system set up by GCHQ, we thought we'd look at what travelling diplomats and executives can do to protect their data when entering a hostile environment where all infrastructure is assumed to be controlled by your adversary.

There's some great practical advice in that segment, and it's after the news.

In this week's sponsor interview we speak with Jack Daniel, Tenable Network Security's product manager about Microsoft's bug bounty program. $100k for a good exploit! The times, they change.

And we check in with Adam Boileau to discuss the week's news headlines. Show notes can be found here.

In this week's feature interview we chat with author and speaker Richard Thieme about what they used to call the generation gap. NSA leaker Edward Snowden is "Internet generation". Are the ideals espoused by people like Snowden rooted in counter-cultural ideals or are they just generational norms?

Are these ideas around online liberty becoming mainstream? Now that we have so many gen-Ys and millennials actually running the information infrastructure that powers our institutions, could we be on the cusp of serious changes in the way the establishment works? That is an interesting chat.

In this week's sponsor interview we're chatting to John Vecchi, Solera's VP of Product Strategy, all about whether or not we're neglecting mundane threats because we're so focussed on identifying APT.

Adam Boileau joins us for this week's news segment. Show notes, including links to the articles discussed, can be found here.

On this week's show we take a look at PRISM, the NSA's recently exposed massive surveillance program. Leaked PowerPoint slides from NSA describe a surveillance system that allows the agency to effortlessly capture a target's YouTube, Google, Facebook and Skype. This has been reported as these companies allowing the US government access to "back doors" on their systems.

In this week's episode we look at an alternative theory: The NSA is actually capturing information on "persons of interest" in real-time via fibre taps, decrypting it with private keys, then storing it. It's our theory and we're sticking with it. Listen to this week's episode to see if you agree!

Also this week we've got Tenable's chief of security, Marcus Ranum, stopping by in this week's sponsor interview to follow up on his keynote speech at AusCERT. The speech was called Never Fight a Land War in Cyber Space and it's really about the idea that conventional military thinking doesn't apply to the Internet.

I published a recording of his talk and it got a great reaction, but I was left with some questions after I saw it. So I rang him up and asked them! It's actually a really, really interesting interview so make sure you tune in for it.

****EDITOR'S NOTE: During the discussion on PRISM, I referenced 5Tb/s of traffic between "the US, Canada and US". That should have been "The US, Canada and Europe". Sorry about that!

This week's show is a cracker! We've got a great feature interview with journalist and author Parmy Olson about what the future might hold for Anonymous. Is it time for the Anonymous brand to be retired? The media has largely lost interest in its activities -- how could the hacktivism phenomenon bounce back to the same levels of notoriety as it experienced in 2011?

Tune in to find out!

This week's show is brought to you by Senetas, makers of absolutely kick-ass layer 2 encryption equipment.

In this week's sponsor interview we're chatting with Senetas co-founder and CTO Julian Fay about homomorphic encryption. This is where you can actually perform operations on data while it's still encrypted! It's all a bit twisted, but it's fascinating stuff and it's this week's sponsor interview topic.

This week's feature interview is with Dave Jorm, a Brisbane-based security geek and environmental science aficionado who's done some really interesting OSINT analysis of agricultural efficiency in North Korea with publicly available satellite data.

He's presenting his findings at AusCERT's annual conference on the Gold Coast next week; he joins the podcast to talk about his work and the online community of North Korea watchers.

Ok, so it's not exactly about infosec, but it's really interesting stuff and I hope you all enjoy it!

This week's show is brought to you by the fine folks at HackLabs, the Australian pentesting firm. If you need your pens tested, get in touch with the team at HackLabs.com.

This week's sponsor interview is with HackLabs head honcho Chris Gatford. We chat to him about a tale of two banks -- one big Middle Eastern bank and one small Australian bank. They're two organisations with very different approaches to security and very different security postures, but both eventually failed penetration tests by making the same simple mistakes.

This week's show was being produced on the road so it's a bit of a different format -- I did a longer than usual news panel session from the conference floor!

Our news discussion panel consists of:

The Grugq
Dominic White, SensePost
Charl van der Walt, SensePost
Andrew MacPherson, Paterva (Maltego)

After that we've got this week's sponsor interview with Peleus Uhley of Adobe.

Adobe is this week's sponsor, big thanks to them, and Peleus joins the show to talk about throwing a spanner in the works of mass malware customisation. We look at some of the approaches large vendors are using these days to disrupt the development lifecycle of the bad guys. It's interesting stuff and it's after the news.

This week's edition of the show is pre-recorded because I'm off surfing in Jeffreys Bay, South Africa. There will be no show next week, but the week after that I'll be bringing you an episode from the ITWeb Security Summit in Johannesburg where I'm speaking.

In this week's show we've got a great interview with Wade Baker, the managing principal of Verizon's RISK team, and the topic, of course, is this year's Verizon Data Breach Investigations Report.

We've also got a sponsor interview with Marcus Ranum of Tenable Network Security. Tenable is this week's sponsor, so you can thank them for making this week's show possible. Do check out Tenable.com for all your vulnerability scanning and SIEM needs!

We chat with Marcus about what he calls economic spoiler attacks -- these are the disruptive, state-sponsored attacks we've seen against Saudi Aramco and South Korea.

If you'd like to download this week's track, you can grab it for free from the TripleJ Unearthed website here.