Risky Business Podcast

On this week's show we're mostly focussing on news! It's been a massive week in news -- we've had AT&T users' Facebook data being re-routed through China, we've had more speculation on the RSA hack, Comodo has been busted dishing out trusted SSL certificates for gmail.com to a box in Iran, there's a stack of SCADA 0day being dropped, there's people going to prison, giant rats eating entire data centres.... ok, well I made the last bit up, but the rest of it, if you can believe it, is true!

So we'll chat with Adam Boileau about a lot of that stuff in the regular news segment, and we'll be joined by Declan Ingram to discuss the Comodo SSL breach and the SCADA news.

In this week's sponsor interview we're chatting with Tenable Network Security's evangelist Paul Asadorian. Well, Paul and his buddy Larry Pesce. Paul and Larry host the PaulDotCom security weekly podcast, and they popped by to discuss the issue of APTs and risk-based security. It's a great chat, and it's coming up later.

This week's show is sponsored by Tenable Network Security.

It's episode 187, the homicide edition, and RSA conveniently falls victim to a drive by. Thanks guys!

This week's show is a ripper. We've got two feature guests -- Kimberly Zenz of iDefense and Paul Ducklin of Sophos.

We talk about everything from recent disinformation and social media manipulation campaigns in the Middle East and Belarus, the breach of RSA by parties unknown wielding those mysterious "APTs". Allegedly.

Duck and I also have a chat about Privacy International proclamation that Skype is a threat to the security and privacy of activists and dissidents. We don't know what they've been smoking over there at Privacy International, but I bet you it's some good stuff -- the criticisms levelled against Skype are, largely, baseless. Allegedly.

Adam Boileau joins us, as always, to discuss the week's news headlines.

This week's show is jam-packed! We'll be chatting with Andrea Barisani about a presentation he did with Daniele Bianco at CanSecWest this week. They're both from Inversepath, and the title of their talk was "Chip and PIN is definitely broken". Is it? Find out after the news.

Also this week we chat with CSO Adam Pointon. What can you do when your executives want to use their iPad or other mobile device on your network? Is it possible to create a security policy for consumer devices on your network? Well, yeah, it is, as it turns out.

In this week's sponsor interview we chat with Jack Daniel of Astaro. The topic is IPv6. Despite the fact that the Internet has run out of v4 addresses I haven't personally seen the four horsemen of the Internet failpocalypse riding down my street just yet. But be assured, there's a transition coming and Jack joins us to discuss how you can prepare for it.

Adam Boileau, as always, stops by with his take on the week's news.

On this week's show Peter Gutmann drops by to talk about Solid State Drives (SSDs) and digital forensics. Depending on which report you saw over the last week you may have read that it's impossible to reliably delete data from an SSD, or that SSDs are a forensic nightmare because they DO delete so much data.

Well it turns out both statements are correct, and Peter "Gutmann Method" Gutmann joins us to explain how.

Also this week, Tenable Network Security and industry Stalwart CEO Ron Gula joins us to chat about the concept of restricting the sale and export of exploit information or malicious software. How does one determine what is malicious or other in a discipline where almost everything is dual use? That's this week's sponsor interview.

Adam Boileau, of course, joins us for the week's news.

******I missed a couple of "naughty words" in this week's edit, so put your headphones on if the kids are about...

On this week's show we're having a chat with the editor of Wired.com's Threat Level blog, Kevin Poulsen.

He joins us to discuss his new book, Kingpin, which is out this week in the US and on March 1st is Australia.

Kingpin tells the story of Max Ray Vision, a hacker who started off as a typical carder but came to control virtually the entire online credit card fraud scene in the English speaking world. How? By owning rival forums, merging their users into his site and then torching the competition. It was pretty effective.

Adam Boileau joins us to discuss the week's news.

This week's edition of Risky Business is brought to you by NetWitness!

On this week's show we look at the history of LIGATT Security and its chief executive Gregory D Evans. He says he's the "world's number one hacker" and racked up multiple appearances on CNN, Bloomberg, Fox News and other respected outlets.

But that hasn't stopped others from labelling Evans a charlatan.

A recent expose by CBS Atlanta in the USA, combined with the release of Evans' mailspool, have upped the level of interest in all things LIGATT. Jericho of Attrition.org has been tracking Evans' business dealings for years. He joins us by phone from the USA to fill us in on the curious case of LIGATT Security.

In this week's sponsor interview we chat with Eddie Schwartz of NetWitness. He joins the show to talk about some nice generic ways to detect network dodginess and suspicious endpoint behaviour.

Adam Boileau, as always, joins us for the week's news.

This week's feature interview is a chat with Didier Stephens about his work in bypassing Windows-based whitelists.

You can read about Didier's work here and here.

You can really lock down Windows boxes by whitelisting what can run on them. You've got SRP -- or Software Restriction Poly, and you've got the Windows 7 feature AppLocker. Primarily they're designed to stop daft employees from installing malware-laden baby name generators and stuff like that, but some administrators have found this approach is quite effective at blocking malware.

After Stuxnet came along, for example, some admins turned to AppLocker for a bit of extra comfort. But as you'll hear, if your goal is preventing custom malware from running on your system, you're about to learn that AppLocker is pretty much useless.

Didier Stephens is based in Belgium, works as a security guy in the finance industry and enjoys doing unnatural things to Windows. He joined us by phone to discuss his latest party trick.

In this week's sponsor interview we're joined by Astaro's Jack Daniel. He joins us to discuss security for small to medium businesses. It seems that half the time their paying way too much for top level advice or being fleeced by charlatans. What's some practical advice for SME businesses?

In this week's new segment Adam Boileau and Patrick Gray discuss the HBGary hack.

This week's edition of the show is brought to you by Tenable Network Security. We'll hear from Tenable's Paul Asadorian in this week's sponsor interview.

In this week's feature interview we're chatting with Immunity Inc's Bas Alberts about the security of Google's Android mobile operating system. As it turns out, Android's patching model is pretty awful.

To demonstrate the problems with Android, this week's feature guest, Bas Alberts, took a Webkit bug affecting the Chrome browser found on Android devices, attacked his boss's phone and used a garden variety Linux kernel local privilege escalation vulnerability to completely own the phone. He turned it into a video and it was uncomfortable viewing to say the least.

Bas works for Immunity Inc in the USA and joined me by phone to discuss his research and its implications.

Adam Boileau is back on deck to discuss the week's news headlines!

This is the last Risky Business podcast for 2010, and it's a cracker!

In it we take a look at three things that shaped the information security news agenda in 2010 -- Stuxnet, Wikileaks and the resulting militarisation of the Internet.

We also look back on a year of UNIX-beard-guy news with Adam Boileau.

We hope you enjoy this special edition -- we'll be back in February 2011!

On this week's show we're taking a look at a nifty little presentation by Mark Piper delivered to the recent Kiwicon conference.

Pipes is a pentester, and he's figured that around 4% of websites, globally, leak source code because they're allowing metadata from their code versioning and revision control systems to wind up on their production boxes.

Sometimes that means you can obtain source code when you're doing a black box pentest, or even if you're trying to pwn Facebook or Twitter on your own time.

Also this week, Adam Boileau joins us to discuss the week's news and Microsoft's Katie Moussouris joins us to discuss her role in drafting the ISO standard for vulnerability disclosure. That's this week's sponsor interview.