Risky Business Podcast

In this week's podcast we're chatting with Jonathan Cran of Pwnie Express.

Pwnie Express makes dropboxes that were designed to be used by pentesters. Funnily enough people have actually found all sorts of non-illicit uses for them.

In this week's sponsor interview we chat with HackLabs' penetration tester Jody Melbourne to ask if there's a future for hacktivists after SQLi bugs are a thing of the past.

In this week's news segment with Adam Boileau we discuss the following items:

'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on
Monday | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/07/dns-changer-going-dark/

Report: Wireless Hacking Suspected In Air Raid Siren Miscues |
threatpost
http://threatpost.com/en_us/blogs/report-wireless-hacking-suspected-air-raid-siren-miscues-070512

Cisco Pulls Back on Routers' 'Supplemental Privacy Policy' |
threatpost
http://threatpost.com/en_us/blogs/cisco-pulls-back-routers-supplemental-privacy-policy-070312

There is No Reason to Take a Picture of Your Debit Card ...Ever |
threatpost
http://threatpost.com/en_us/blogs/there-no-reason-take-picture-your-debit-card-ever-070312

New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace
Industry | threatpost
http://threatpost.com/en_us/blogs/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312

Mac OS X, Windows Backdoors Used in New APT Attacks | threatposthttp://threatpost.com/en_us/blogs/mac-os-x-windows-backdoors-used-new-apt-attacks-062912

Microsoft Names Two Alleged Zeus Botnet Operators | threatpost
http://threatpost.com/en_us/blogs/microsoft-names-two-alleged-zeus-botnet-operators-070312

Appeals Court Calls Bank's Security "Commercially Unreasonable" |
threatpost
http://threatpost.com/en_us/blogs/appeals-court-calls-bank-s-security-commercially-unreasonable-070512

Senator Seeks to Strengthen SEC-Required Cybercrime Reporting | threatpost
http://threatpost.com/en_us/blogs/senator-seeks-strengthen-sec-required-cybercrime-reporting-070212

Adobe: No Flash Player For Future Android Versions | threatpost
http://threatpost.com/en_us/blogs/adobe-no-flash-player-future-android-versions-062912

Iran state TV: The BBC hacked us | ZDNet
http://www.zdnet.com/iran-state-tv-the-bbc-hacked-us-7000000334/

WikiLeaks starts publishing millions of 'Syria Files' emails | ZDNet
http://www.zdnet.com/wikileaks-starts-publishing-millions-of-syria-files-emails-7000000316/

Want cheaper insurance? Brush up on your IT security | ZDNet
http://www.zdnet.com/want-cheaper-insurance-brush-up-on-your-it-security-7000000251/

NBN Co: Huawei FOI could harm national security | ZDNet
http://www.zdnet.com/nbn-co-huawei-foi-could-harm-national-security-7000000106/

There's a lot of really interesting news this week. Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's (DERPA? Lol.) attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more!

In this week's feature interview we chat with Matthew D Greene, Assistant Research Professor at Johns Hopkins University's Information Security Institute. We're talking to him about some recently unveiled attacks against hardware tokens that enable attackers to extract key material that's supposed to be protected. Oops!

Matthew blogged about it here, and the paper we discuss is here [pdf].

This week's show is brought to you by our good friends at SensePost! Sensepost founder and director Charl Van Der Walt will be along in this week's sponsor interview to discuss what he's learned from teaching BlackHat courses for 10 years.

In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more!

Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau.

Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff.

That's this week's sponsor interview.

There's no feature interview this week and possibly no podcast next week. Family stuff.

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out.

This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world.

Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.

On this week's show we'll be chatting with Forbes' London bureau chief Parmy Olson.

Parmy did a great job of covering the whole LulzSec fiasco last year for Forbes, but she's gone one better and written a book about the whole thing. It's called We Are Anonymous: Inside the hacker world of LulzSec and you know what? It's pretty good!

Actually, it's really, really good. I'm about a third of the way through a review copy. Parmy will joins us to talk about what it was like to stitch a story like this together.

This week's show is brought to you by those fine folk at HackLabs, a Sydney-based penetration testing firm. Its founder and big cheese Chris Gatford will be along in this week's sponsor interview to chat about two factor via cellphones.

There was a really interesting attack against 4chan through its hosting provider ClousdFlare this week that involved some telephone trickery. Do people place too much trust on out of band second factors? Find out in this week's sponsor interview!

Adam Boileau, as always, joins us to talk about ABSOLUTELY EVERYONE GETTING OWNED! Between LinkedIn, eHarmony and Last.fm getting popped, the US as good as claiming credit for Stuxnet, Flame man in the middling Windows Update and all sorts of other crazy stuff, well, it's been a hell of a week for news!

On this week's show we're taking a look at some research out of Cambridge University that's drawn a lot of attention. It involves a claim that researchers found a hardware back door on a Chinese-made FPGA (Field Programmable Gate Array).

That FPGA is apparently used in military hardware. You can find links to the draft paper and a write-up here.

So was this "back door" put there by super-secret Chinese cyber-warriors? Or is it something much less interesting like an undocumented debugging interface?

Peter Gutmann is this week's feature guest and he'll be telling us all about it.

This week's show is sponsored by SensePost.

SensePost is a South African security consultancy that also has a presence in Europe. They are some seriously, seriously smart people and we're thrilled to have them as a sponsor.

In this week's sponsor interview we're taking a look at some research the company has done into cloning RSA soft tokens. We all know that soft tokens are theoretically weak, but SensePost's Behrang Fouladi set his mind to actually reversing them and seeing just how easy it is. As it turns out, very.

Adam Boileau, as always, stops by to discuss the week's news.

This week's feature audio is an excerpt from an AusCERT presentation I recorded last week. The talk, by Brad Barker of the HALO Corporation, discusses the Zeta drug cartel's use of technology and social media. HALO Corporation does everything from intelligence support to kidnap and ransom consulting. Barker has an interesting analysis of how civilian technology is altering methods of operation and the wider battlefield. It's good stuff.

Adobe's director of product security Brad Arkin will be along for this week's sponsor interview to talk about Apple's decision to block vulnerable versions of Flash Player in OS X. Brad also discusses Adobe's controversial -- and subsequently reversed decision -- to NOT patch its CS5 suite of products against a code execution bug.

Adam Boileau, as always, drops by to discuss the week's news headlines.

In this week's show we take a look at the big burning issue of BYOD.

Neal Wise of Assurance.com.au joins us to discuss some common approaches. Neal says one reason companies are starting to address the issue is because staff are already bringing devices in and connecting them to corporate resources regardless of company policy. In other words it's happening whether you like it or not.

This week's show is brought to you by Tenable Network Security -- if you need some vulnerability detection and management software, or some whiz bang security information event management kit, you'd best get your butt into gear and head to tenable.com.

In this week's sponsor interview Tenable Network Security CEO Ron Gula also weighs in on the debate. He says the BYOD phenomenon is doing a fantastic job at resuscitating NAC and NAP vendors.

Adam Boileau, as always, joins us for this week's news headlines.

On this week's show we're taking a look at basic opsec with an incident responder friend of ours. We'll be talking about some sensible strategies people can use when they're up to illegal stuff on the Internets, because, you know, watching all these guys getting busted for owning FBI websites from their own IPs is getting boring.

This is useful stuff to understand on the defensive side, too.

Plus Adam Boileau joins the show with his take on the week's news.

In this week's feature interview we're chatting with reverse engineer Jonathan Brossard about the theft of VMware source code from a third party. Lulzsec-linked hax0rs have owned up around 300mb of VMWare source and they say they're dropping it on May 5.

We believe them.

Predictably, VMware says it's no big deal, but Jonathan says that line is basically horseshit. He'll be joining us to tell us why.

Jonathan is the CEO of Toucan Systems and an organiser of Hackito Ergo Sum.

In this week's sponsor interview we're chatting with Adobe Software's product security chief Mr. Brad Arkin.

He'll be bringing us up to speed on what he's been up to over the last four weeks or so, and boy, has he been busy. They've been releasing silent auto-updaters for Flash player, open source malware triage tools, making major updates to Adobe Reader 9 for the poor souls who are unable to upgrade to 10; all sorts of good stuff.

Adam Boileau, as usual, joins the show for the week's news.

***EDITOR'S NOTE: There was a small error in this week's introduction script to the sponsor interview. Changes were made to Adobe Reader 9. The introduction script mistakenly said Adobe had introduced changes to Flash Player 9.