Risky Business Podcast

I've been busy preparing my debate speech for tomorrow's Splendour in the Grass music festival, so this week's show is a shorter one than usual; there's no feature interview.

But we've got a fascinating sponsor interview with SensePost's Glenn Wilkinson coming up. He's a lead security analyst with SensePost in its London office. He and his colleague Daniel Cuthbert are doing a talk and tool release at 44con in September called Terrorism, Tracking, Privacy and Human Interactions.

They set about writing some really creepy Big Brother-style tools for doing massive surveillance by dropping a few wireless access points around London. And you know what? As it turns out it's really easy to be really creepy!

On this week's show the NSA's former Technical Director of Information Assurance, Brian Snow, joins the program to warn us that recent advancements in quantum computing could invalidate all of our cryptographic systems within 15 years.

So we'd better get cracking on finding alternatives!

This week's show is brought to you by the security team at Adobe! Big thanks to them. And Adobe's head of security and privacy Brad Arkin will be along later in the show to discuss Adobe's planned deprecation of Flash on mobile devices. As of September 2013 the whole lot goes dark permanently, so how DO you manage that sort of support withdrawal?

That's this week's sponsor interview.

On this week's edition of the show we catch up with Mark Dowd of Azimuth security for a bit of a chat about Apple's upcoming iOS 6 operating system and its security features. We also wind up chatting about Apple's approach to OS security in general and the whole signed code appstore thing, it's fun stuff!

This week's show is brought to you by Tenable Network Security -- the most long term and loyal supporter of this podcast.

Tenable founder and CEO Ron Gula joins us later on in the show to chat about the media hype surrounding DNSChanger and Flame, as well as talking about some really, really rudimentary approaches to picking up stuff your AV may have missed. That's this week's sponsor interview.

In this week's news segment, Insomnia Security's Adam Boileau joins the program to discuss the following stories:

Govt defends need to snoop on online and phone records | Information, Gadgets, Mobile Phones News & Reviews | News.com.au
http://www.news.com.au/technology/govt-defends-need-to-keep-internet-dat...

1.3M Cellphone Snooping Requests Yearly? It's Time for Privacy and Transparency Laws | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/mobile-data-transparency/

AusCERT loses passwords to Govt service - Web/client - SC Magazine Australia - Secure Business Intelligence
http://www.scmagazine.com.au/News/307954,auscert-loses-passwords-to-govt...

Gone in 3 Minutes: Keyless BMWs a Boon to Hacker Thieves | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/keyless-bmw-gone/

Android forum site hacked; data swiped on 1 million users | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57471297-83/android-forum-site-hacked-d...

Top domains and passwords compromised by Yahoo breach | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57471299-83/top-domains-and-passwords-c...

Formspring disables user passwords in security breach | Security & Privacy - CNET News
http://news.cnet.com/8301-1009_3-57469944-83/formspring-disables-user-pa...

Apple Receives NFC Patent, But Takes It Slow with Mobile Payments | threatpost
http://threatpost.com/en_us/blogs/apple-receives-nfc-patent-taking-it-sl...

Anonymous Group Says It Gave Syrian E-mails to WikiLeaks | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/anonymous-syrian-emails/

WikiLeaks Wins Icelandic Court Battle Against Visa for Blocking Donations | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/wikileaks-visa-blockade/

Instagram Patches "Friendship Vulnerability" Privacy Hole | threatpost
http://threatpost.com/en_us/blogs/instagram-patches-friendship-vulnerabi...

Google Adds Full Flash Sandbox to Chrome 21 | threatpost
http://threatpost.com/en_us/blogs/google-adds-full-flash-sandbox-chrome-...

Google Patches Three High-Priority Flaws in Chrome 20 | threatpost
http://threatpost.com/en_us/blogs/google-patches-three-high-priority-fla...

Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost
http://threatpost.com/en_us/blogs/microsoft-revokes-trust-28-its-own-cer...

NSA Chief Says Today's Cyber Attacks Amount to 'Greatest Transfer of Wealth in History' | threatpost
http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-am...

Deep Packet Inspection Firm Cyberoam Issues Fix Following Private Key Leak | threatpost
http://threatpost.com/en_us/blogs/deep-packet-inspection-firm-cyberoam-i...

Hackers can break into your Cisco TelePresence sessions | ZDNet
http://www.zdnet.com/hackers-can-break-into-your-cisco-telepresence-sess...

Data-breach laws are coming: OAIC assistant | ZDNet
http://www.zdnet.com/data-breach-laws-are-coming-oaic-assistant-7000000761/

Stratfor Class Action Settlement Email
http://cryptome.org/2012/07/sterling-stratfor-email.htm

In this week's podcast we're chatting with Jonathan Cran of Pwnie Express.

Pwnie Express makes dropboxes that were designed to be used by pentesters. Funnily enough people have actually found all sorts of non-illicit uses for them.

In this week's sponsor interview we chat with HackLabs' penetration tester Jody Melbourne to ask if there's a future for hacktivists after SQLi bugs are a thing of the past.

In this week's news segment with Adam Boileau we discuss the following items:

'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on
Monday | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/dns-changer-going-dark/

Report: Wireless Hacking Suspected In Air Raid Siren Miscues |
threatpost
http://threatpost.com/en_us/blogs/report-wireless-hacking-suspected-air-raid-siren-miscues-070512

Cisco Pulls Back on Routers' 'Supplemental Privacy Policy' |
threatpost
http://threatpost.com/en_us/blogs/cisco-pulls-back-routers-supplemental-privacy-policy-070312

There is No Reason to Take a Picture of Your Debit Card ...Ever |
threatpost
http://threatpost.com/en_us/blogs/there-no-reason-take-picture-your-debit-card-ever-070312

New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace
Industry | threatpost
http://threatpost.com/en_us/blogs/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312

Mac OS X, Windows Backdoors Used in New APT Attacks | threatposthttp://threatpost.com/en_us/blogs/mac-os-x-windows-backdoors-used-new-apt-attacks-062912

Microsoft Names Two Alleged Zeus Botnet Operators | threatpost
http://threatpost.com/en_us/blogs/microsoft-names-two-alleged-zeus-botnet-operators-070312

Appeals Court Calls Bank's Security "Commercially Unreasonable" |
threatpost
http://threatpost.com/en_us/blogs/appeals-court-calls-bank-s-security-commercially-unreasonable-070512

Senator Seeks to Strengthen SEC-Required Cybercrime Reporting | threatpost
http://threatpost.com/en_us/blogs/senator-seeks-strengthen-sec-required-cybercrime-reporting-070212

Adobe: No Flash Player For Future Android Versions | threatpost
http://threatpost.com/en_us/blogs/adobe-no-flash-player-future-android-versions-062912

Iran state TV: The BBC hacked us | ZDNet
http://www.zdnet.com/iran-state-tv-the-bbc-hacked-us-7000000334/

WikiLeaks starts publishing millions of 'Syria Files' emails | ZDNet
http://www.zdnet.com/wikileaks-starts-publishing-millions-of-syria-files-emails-7000000316/

Want cheaper insurance? Brush up on your IT security | ZDNet
http://www.zdnet.com/want-cheaper-insurance-brush-up-on-your-it-security-7000000251/

NBN Co: Huawei FOI could harm national security | ZDNet
http://www.zdnet.com/nbn-co-huawei-foi-could-harm-national-security-7000000106/

There's a lot of really interesting news this week. Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's (DERPA? Lol.) attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more!

In this week's feature interview we chat with Matthew D Greene, Assistant Research Professor at Johns Hopkins University's Information Security Institute. We're talking to him about some recently unveiled attacks against hardware tokens that enable attackers to extract key material that's supposed to be protected. Oops!

Matthew blogged about it here, and the paper we discuss is here [pdf].

This week's show is brought to you by our good friends at SensePost! Sensepost founder and director Charl Van Der Walt will be along in this week's sponsor interview to discuss what he's learned from teaching BlackHat courses for 10 years.

In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more!

Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau.

Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff.

That's this week's sponsor interview.

There's no feature interview this week and possibly no podcast next week. Family stuff.

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out.

This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world.

Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.

On this week's show we'll be chatting with Forbes' London bureau chief Parmy Olson.

Parmy did a great job of covering the whole LulzSec fiasco last year for Forbes, but she's gone one better and written a book about the whole thing. It's called We Are Anonymous: Inside the hacker world of LulzSec and you know what? It's pretty good!

Actually, it's really, really good. I'm about a third of the way through a review copy. Parmy will joins us to talk about what it was like to stitch a story like this together.

This week's show is brought to you by those fine folk at HackLabs, a Sydney-based penetration testing firm. Its founder and big cheese Chris Gatford will be along in this week's sponsor interview to chat about two factor via cellphones.

There was a really interesting attack against 4chan through its hosting provider ClousdFlare this week that involved some telephone trickery. Do people place too much trust on out of band second factors? Find out in this week's sponsor interview!

Adam Boileau, as always, joins us to talk about ABSOLUTELY EVERYONE GETTING OWNED! Between LinkedIn, eHarmony and Last.fm getting popped, the US as good as claiming credit for Stuxnet, Flame man in the middling Windows Update and all sorts of other crazy stuff, well, it's been a hell of a week for news!

On this week's show we're taking a look at some research out of Cambridge University that's drawn a lot of attention. It involves a claim that researchers found a hardware back door on a Chinese-made FPGA (Field Programmable Gate Array).

That FPGA is apparently used in military hardware. You can find links to the draft paper and a write-up here.

So was this "back door" put there by super-secret Chinese cyber-warriors? Or is it something much less interesting like an undocumented debugging interface?

Peter Gutmann is this week's feature guest and he'll be telling us all about it.

This week's show is sponsored by SensePost.

SensePost is a South African security consultancy that also has a presence in Europe. They are some seriously, seriously smart people and we're thrilled to have them as a sponsor.

In this week's sponsor interview we're taking a look at some research the company has done into cloning RSA soft tokens. We all know that soft tokens are theoretically weak, but SensePost's Behrang Fouladi set his mind to actually reversing them and seeing just how easy it is. As it turns out, very.

Adam Boileau, as always, stops by to discuss the week's news.

This week's feature audio is an excerpt from an AusCERT presentation I recorded last week. The talk, by Brad Barker of the HALO Corporation, discusses the Zeta drug cartel's use of technology and social media. HALO Corporation does everything from intelligence support to kidnap and ransom consulting. Barker has an interesting analysis of how civilian technology is altering methods of operation and the wider battlefield. It's good stuff.

Adobe's director of product security Brad Arkin will be along for this week's sponsor interview to talk about Apple's decision to block vulnerable versions of Flash Player in OS X. Brad also discusses Adobe's controversial -- and subsequently reversed decision -- to NOT patch its CS5 suite of products against a code execution bug.

Adam Boileau, as always, drops by to discuss the week's news headlines.