Risky Business Podcast

We've got a pretty heavily spook-themed show for you this week. The feature interview is with New Zealand-based blogger and writer Keith Ng. He was trawling the Kim Dotcom affidavits in New Zealand and noticed that documents pertaining to the illegal GCSB surveillance on Mr. Dotcom had Five Eyes stamped all over them.

So, err, it looks like the surveillance apparatus established by five eyes to combat national security threats and terrorism was used indirectly by the NZ police force to spy on a guy over a copyright case. Interesting stuff.

And Senetas co-founder and CTO Julian Fay joins in this week's sponsor interview to a chat about the types of demands customers are making in the wake of Edward Snowden's leaks. Traffic analysis is king!

Adam Boileau, as usual, stops in to discuss the week's news headlines.

This week's feature guest is Haroon Meer of Thinkst Applied Research. He's launched an awesome new site called Phish5.com that allows sysadmins and security consultants to automate phishing campaigns against their own networks and clients.

It's a brilliant idea and well executed.

This week's show is brought to you by the fine folks at Microsoft, and we chat with Microsoft's Jerry Bryant later on about the expansion of the company's MAPP program. If you're an incident responder you really want to hear about this -- you can now submit suspect samples to Microsoft and they'll inspect them for 0day. World-class triage at your fingertips.

This is a special edition of the Risky Business podcast, produced with material recorded at BlackHat and Defcon in Las Vegas.

Features:

\t* Excerpts of Keith Alexander's keynote
\t* An interview with Moxie Marlinspike
\t* A sponsor interview with SensePost trainer Glenn Wilkinson

On this week's show we chat with Silent Circle founder Jon Callas about the decision to shutter the Silent Mail service, as well as what Silent Circle is doing to bolster product security in the wake of some pretty nasty bug disclosures by our pal Mark Dowd.

In this week's sponsor interview we chat with Tenable CEO Ron Gula about innovation trends in infosec -- he was working the trade floor like a boss at BlackHat, so I asked him what tickled his fancy.

A shaken but not stirred Adam Boileau joins us from the earthquake-ravaged, lawless badlands of Wellington to discuss the week's news headlines.

Show notes, including links to the stories we discussed in the news segment, can be found here.

In this week's feature slot we chat with Karsten Nohl about his research into pillaging SIM cards. It turns out Karsten's research into SIM security was much, much cooler than we initially thought.

In this week's sponsor interview we chat with Jonathan Ness about the all new singing and dancing EMET 4.0.

Adam Boileau pops by for the week's news.

This week's show features a fantastic, extended interview with Howard Schmidt, the former White House cyber security co-ordinator and special Assistant to the US President.

We spend about 35 minutes talking about what information security looks like from a high-level policy perspective. It's a long interview but there are some gems in there. We talk about some of the initiatives Howard kicked off at the White House, about the critical infrastructure legislation ping-pong game the executive branch played with congress, about Edward Snowden's leaks, and what it was like to work for Barack Obama.

This week's show is brought to you by a new sponsor -- Context Information Security. ContextIS is a global consultancy and managed service provider and its Australian general manager Scott Ceely joins us this week to talk about watering hole attacks. More specifically he's talking to us about a watering hole attack that managed to hose a few high value targets with some pretty basic exploitation techniques. The Crouching Tiger watering hole attack, a case study, if you will.

Adam Boileau, as usual, joins us to talk about the week's news headlines. Show notes here.

This week's show is brought to you by the fine, fine people at Tenable Network Security, big thanks to Tenable for all its support over the years.

And on this week's show we chat briefly with South Korean researcher SeungJin Lee about Smart TV security. They're equipped with cameras and microphones and they're popping up in living rooms everywhere.

Now, smart phones have cameras and microphones on them, so a lot of the hype around connected home devices seems a bit unreasonable. It's not like this is the first type consumer device that can be turned into a surveillance device. But as you'll hear, Smart TV operating systems are pretty insecure and vulnerable to some pretty basic forms of exploitation, so some of these concerns are actually quite reasonable.

SeungJin Lee will be dropping in to discuss his research into Smart TV security, research he'll be presenting at BlackHat in Las Vegas the week after next!

In this week's sponsor interview we chat with Ron Gula, the CEO of Tenable Network Security. This week we ask Ron if Ed Snowden's revelations on NSA spying could drive non-US companies away from doing business with American cloud service providers.

And we check the week's security news stories with Adam Boileau. Show notes here.

On this week's show we take an axe to all the crazy hype around BlueBox's Android research. It's been a shameful, shameful week for the tech media. I half expected to walk outside this week and find crowds of consumers holding pitchforks and burning their Android devices based on the headlines we've been seeing about 99% of all 'droid devices being open to attack!

As you'll hear in this week's interview with Justin Case (jcase), the research is cool -- it's a code signing check bypass for android install packages -- but you can put down the matches and the lighter fluid. It's not that bad.

In this week's sponsor interview we continue the conversation about code signing with Brad Arkin, the CSO of Adobe. Adobe itself had some trouble with an attacker compromising its systems and signing malware with its HSM. Last week, as you would have heard, someone managed to do the same thing at Opera, only that case was worse because they also jacked the browser's update boxes for a short time and served up bogus patches.

Last time Brad was on the show he was the head of security and privacy at Adobe so handling the operational security and code signing wasn't actually his responsibility. But it is now so he's been doing some thinking.

What do these recent developments tell us about distributed trust models for code signing? Are desktop OS's moving towards the mobile app signing model that has worked so spectacularly well for Apple? Well, Brad says they are, with caveats.

Adam Boileau, as usual, joins the show to discuss the week's news headlines. Show notes are here.

We've got a great show for you this week. Mark Dowd of Azimuth Security pops in to talk about the bugs he found in libraries used by secure telephony providers like Silent Circle. They're serious, serious bugs, and they were easy to find.

Also this week we talk to Les Goldsmith of ESD America. ESD is a pretty interesting outfit. They sell the German-developed GSMK Cryptophone, a product that has been around for a very, very long time and is mostly used by militaries and police. They also sell counter surveillance training, bug sweeping gear, armoured vehicles, tactical training and explosives detection dogs, but hey, today we're focussing on the electronic stuff.

We get Les's reaction to the news that the US has been bugging the offices of the European Union, the Ecuadorian embassy and, well, pretty much everyone all the time. He's got some really interesting perspectives on that.

In this week's sponsor interview we chat with Chris Gatford about these awful, awful IPMI vulnerabilities. The Intelligent Platform Management Interface turns out to be anything but! If you haven't heard, it turns out there are serious, protocol-level design flaws in IPMI which are going to make life tough for anyone who's actually using it. it's the sort of thing that will take a long time to truly fix, too.

This week's show is a bit shorter than usual. We've got a discussion of the week's news then a great chat with Brian Contos, the VP and CISO of Blue Coat Systems Advanced Threat Protection Group.

It's this week's sponsor interview and we'll be chatting about whether or not cyber warfare is really asymmetrical. It's the accepted wisdom that it is, but I gotta say, when we look at who's using it -- the US and Israel against Iran and Syria, Russia versus Estonia -- it looks to me like it's something used by the big guys to smash the little guys. Brian disagrees, so it's a nice lively discussion and it's coming up after the news.