Risky Business Podcast

In this week's feature interview we're chatting with Gartner Research Director Andrew Walls about a fascinating research paper released by Microsoft.

It's called Sex, Lies and Cyber-Crime Surveys [pdf]. It basically says most cyber crime surveys are misleading.

Tenable founder and CEO Ron Gula also joins the show to discuss the sudden popularity of so-called cyber insurance in light of the massive number of high-profile attacks that have occurred recently.

Adam, of course, drops in to discuss the week's news headlines, and boy, has it been a busy week!

In this week's feature interview we're chatting with Neal Wise of Assurance.com.au about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not.

In this week's sponsor interview we're joined by Astaro's director of Support Alan Toews. We're talking about the silver lining to all the chaos out there at the moment -- does the awareness raised by the actions of groups like LulzSec offset the harm they cause to their victims?

Adam Boileau, as usual, pops in to discuss the week's news.

On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs?

A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE.

It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF.

Bug hunter extraordinaire, Azimuth Security's Mark Dowd, joins us after the news to chat about that. We'll also have a quick chat with Josh Corman, an analyst with 451 group in the USA and co-founder of the Rugged Software initiative.

Adam Boileau, as always, stops by for a check of the week's news headlines.

On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google.

The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments?

This week's edition of the show is brought to you by NetWitness. Eddie Shwartz will be along after this week's feature interview to discuss the role of vendor marketing in making our situation worse. It's the job of marketing and salespeople to dazzle executives with bulldust -- but is it driving enterprise security investment in the best direction? Find out in this week's sponsor interview with Eddie Shwartz.

Adam Boileau stops by for a look at the week's news.

This week's show was cut together from Johannesburg, South Africa!

In it we discuss Google's latest bug bounty initiative -- they're not just offering cash for bugs in software products, these days they're also offering cash for bugs in their online properties. Got an auth bypass for Gmail? Ka-ching!

This week's show is brought to you by Astaro. Jack Daniel of Astaro joins us to talk about restricting certain content types from SOEs. Do we really need Flash in our operating environments anymore? Can we just drop it and gain some security?

Adam Boileau drops in, as always, to discuss the week's news headlines.

This week's show is a bit shorter than usual. We'll check in with Adam Boileau to discuss the week's news headlines and catch up with Tenable Network Security CEO Ron Gula in this week's sponsor interview.

Between those two we cover the Playstation Network hack, the kidnapping of Ivan Kaspersky, Microsoft's decision to coordinate the disclosure of vulnerabilities in non-MS products and much, much more!

On this week's show we're taking a look at Verizon Business Security Solutions' annual Data Breach Investigation Report. We'll be joined by both Bryan Sartin for a global perspective on the report, and by his Australian counterpart Mark Goudie, who'll give us a local perspective.

You can have a squiz at the report here.

This week's show is brought to you by NetWitness, and in this week's sponsor interview we're chatting with Shawn Carpenter about just how hip post-compromise detection is becoming.

Adam Boileau, as usual, stops by for the week's news headlines.

This week's show is a doozie!

We're joined by Brian Snow to discuss risk-based security. Brian, who was the technical director of information assurance for the NSA in the US, recently contributed to a security review of US Department of Energy Nuclear Weapons Facilities. (You can download the unclassified version of the report here for free with registration.)

The review sought to understand if Probabilistic Risk Assessment (PRA) methodologies could be used to improve the cost effectiveness of the DoE's security.

The review found that PRA is, in fact, not suited to managing risk in malicious environments. It's great for modelling likely failures of power supplies in data centres, but not so good at modelling attack scenarios.

Basically it boils down to the fact that it's impossible to assign a likelihood to an unknown attack.

So how on earth did risk-based security become the "standard" way of doing things in the enterprise? What use is a risk register if high-impact, low-likelihood adverse events can't be reliably quantified?

Brian joins us to discuss. It's a corker interview.

Adam Boileau joins the show for this week's news. He seems especially keen to sing CA's praises this week. Metstorm <3's CA. He even has CA pyjamas. I've seen them.

Episode 190 of the Risky Business podcast is brought to you by our good buddies at Astaro.

Astaro's Jack Daniel joins us in this week's sponsor interview to talk about the evolution of firewalls. We try to predict what they're going to look like, five or ten years out. No surprises for guessing convergence is going to be a big thing.

In this week's feature interview we chat with Kowsik Guruswamy of muDynamics about a project his company kicked off called pcapr.net

It's an online archive of packet captures/traces with 60 million packets archived and 5200 members contributing. It's a great project and I'm surprised more people in the infosec community haven't heard of it.

As always, Adam Boileau stops in for a check of the week's news.

This week's show is brought to you by NetWitness.

The minting of some dodgy SSL certificates has the whole security world in a bit of a tizz, but this week's feature guest thinks much of the resulting media coverage is missing the point. Why are browsers designed to make Boolean trust decisions? Why do they completely trust CA issued certs?

Peter Gutmann of the University of Auckland joins me to discuss.

Adam Boileau pops in for the week's news, as always.