Risky Business Podcast

Analysis and news podcasts published weekly

Risky Business #244 -- Padding oracle attacks on crypto tokens: How bad?

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

There's a lot of really interesting news this week. Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's (DERPA? Lol.) attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more!

In this week's feature interview we chat with Matthew D Greene, Assistant Research Professor at Johns Hopkins University's Information Security Institute. We're talking to him about some recently unveiled attacks against hardware tokens that enable attackers to extract key material that's supposed to be protected. Oops!

Matthew blogged about it here, and the paper we discuss is here [pdf].

This week's show is brought to you by our good friends at SensePost! Sensepost founder and director Charl Van Der Walt will be along in this week's sponsor interview to discuss what he's learned from teaching BlackHat courses for 10 years.

Risky Business #244 -- Padding oracle attacks on crypto tokens: How bad?
0:00 / 46:57

Risky Business #243 -- Quickly! To Ecuador!

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more!

Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau.

Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff.

That's this week's sponsor interview.

There's no feature interview this week and possibly no podcast next week. Family stuff.

Risky Business #243 -- Quickly! To Ecuador!
0:00 / 49:12

Risky Business #242 -- Massive recon with HD Moore

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out.

This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world.

Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.

Risky Business #242 -- Massive recon with HD Moore
0:00 / 64:11

Risky Business #241 -- Parmy Olson discusses her book on LulzSec

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we'll be chatting with Forbes' London bureau chief Parmy Olson.

Parmy did a great job of covering the whole LulzSec fiasco last year for Forbes, but she's gone one better and written a book about the whole thing. It's called We Are Anonymous: Inside the hacker world of LulzSec and you know what? It's pretty good!

Actually, it's really, really good. I'm about a third of the way through a review copy. Parmy will joins us to talk about what it was like to stitch a story like this together.

This week's show is brought to you by those fine folk at HackLabs, a Sydney-based penetration testing firm. Its founder and big cheese Chris Gatford will be along in this week's sponsor interview to chat about two factor via cellphones.

There was a really interesting attack against 4chan through its hosting provider ClousdFlare this week that involved some telephone trickery. Do people place too much trust on out of band second factors? Find out in this week's sponsor interview!

Adam Boileau, as always, joins us to talk about ABSOLUTELY EVERYONE GETTING OWNED! Between LinkedIn, eHarmony and Last.fm getting popped, the US as good as claiming credit for Stuxnet, Flame man in the middling Windows Update and all sorts of other crazy stuff, well, it's been a hell of a week for news!

Risky Business #241 -- Parmy Olson discusses her book on LulzSec
0:00 / 58:04

Risky Business #240 -- FPGA "back doors"

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're taking a look at some research out of Cambridge University that's drawn a lot of attention. It involves a claim that researchers found a hardware back door on a Chinese-made FPGA (Field Programmable Gate Array).

That FPGA is apparently used in military hardware. You can find links to the draft paper and a write-up here.

So was this "back door" put there by super-secret Chinese cyber-warriors? Or is it something much less interesting like an undocumented debugging interface?

Peter Gutmann is this week's feature guest and he'll be telling us all about it.

This week's show is sponsored by SensePost.

SensePost is a South African security consultancy that also has a presence in Europe. They are some seriously, seriously smart people and we're thrilled to have them as a sponsor.

In this week's sponsor interview we're taking a look at some research the company has done into cloning RSA soft tokens. We all know that soft tokens are theoretically weak, but SensePost's Behrang Fouladi set his mind to actually reversing them and seeing just how easy it is. As it turns out, very.

Adam Boileau, as always, stops by to discuss the week's news.

Risky Business #240 -- FPGA "back doors"
0:00 / 56:52

Risky Business #239 -- The Zetas cartel and social media

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

This week's feature audio is an excerpt from an AusCERT presentation I recorded last week. The talk, by Brad Barker of the HALO Corporation, discusses the Zeta drug cartel's use of technology and social media. HALO Corporation does everything from intelligence support to kidnap and ransom consulting. Barker has an interesting analysis of how civilian technology is altering methods of operation and the wider battlefield. It's good stuff.

Adobe's director of product security Brad Arkin will be along for this week's sponsor interview to talk about Apple's decision to block vulnerable versions of Flash Player in OS X. Brad also discusses Adobe's controversial -- and subsequently reversed decision -- to NOT patch its CS5 suite of products against a code execution bug.

Adam Boileau, as always, drops by to discuss the week's news headlines.

Risky Business #239 -- The Zetas cartel and social media
0:00 / 56:45

Risky Business #238 -- BYOD is here whether you like it or not

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's show we take a look at the big burning issue of BYOD.

Neal Wise of Assurance.com.au joins us to discuss some common approaches. Neal says one reason companies are starting to address the issue is because staff are already bringing devices in and connecting them to corporate resources regardless of company policy. In other words it's happening whether you like it or not.

This week's show is brought to you by Tenable Network Security -- if you need some vulnerability detection and management software, or some whiz bang security information event management kit, you'd best get your butt into gear and head to tenable.com.

In this week's sponsor interview Tenable Network Security CEO Ron Gula also weighs in on the debate. He says the BYOD phenomenon is doing a fantastic job at resuscitating NAC and NAP vendors.

Adam Boileau, as always, joins us for this week's news headlines.

Risky Business #238 -- BYOD is here whether you like it or not
0:00 / 64:19

Risky Business #237 -- Opsec for dummies

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week's show we're taking a look at basic opsec with an incident responder friend of ours. We'll be talking about some sensible strategies people can use when they're up to illegal stuff on the Internets, because, you know, watching all these guys getting busted for owning FBI websites from their own IPs is getting boring.

This is useful stuff to understand on the defensive side, too.

Plus Adam Boileau joins the show with his take on the week's news.

Risky Business #237 -- Opsec for dummies
0:00 / 42:37

Risky Business #236 -- What to do with 300mb of VMware source?

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

In this week's feature interview we're chatting with reverse engineer Jonathan Brossard about the theft of VMware source code from a third party. Lulzsec-linked hax0rs have owned up around 300mb of VMWare source and they say they're dropping it on May 5.

We believe them.

Predictably, VMware says it's no big deal, but Jonathan says that line is basically horseshit. He'll be joining us to tell us why.

Jonathan is the CEO of Toucan Systems and an organiser of Hackito Ergo Sum.

In this week's sponsor interview we're chatting with Adobe Software's product security chief Mr. Brad Arkin.

He'll be bringing us up to speed on what he's been up to over the last four weeks or so, and boy, has he been busy. They've been releasing silent auto-updaters for Flash player, open source malware triage tools, making major updates to Adobe Reader 9 for the poor souls who are unable to upgrade to 10; all sorts of good stuff.

Adam Boileau, as usual, joins the show for the week's news.

***EDITOR'S NOTE: There was a small error in this week's introduction script to the sponsor interview. Changes were made to Adobe Reader 9. The introduction script mistakenly said Adobe had introduced changes to Flash Player 9.

Risky Business #236 -- What to do with 300mb of VMware source?
0:00 / 50:01

Risky Business #235 -- Why you really should read Mark Dowd's book

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

We've got a jam-packed show this week! We'll be hearing from Ruxcon organiser Chris Spencer about a new conference he's putting together. It's called BreakPoint and he's trying to establish it as a truly international conference.

We'll also be chatting with Mark Dowd about his, shall we say, more interesting vulnerability disclosure practices.

And in this week's sponsor interview we're chatting with RSA Security's Ian Farqhuar about BYOD -- bring your own devices. He says it's possible to spin the BYOD phenomenon into a security positive, basically because you now have an excuse to treat all your endpoints as hostile. It makes sense.

Adam Boileau, as usual, joins us for the week's news headlines.

*********When I initially posted this episode I linked through to the wrong mp3.

Fixed now!

Risky Business #235 -- Why you really should read Mark Dowd's book
0:00 / 47:38