Risky Business Podcast

This week's feature interview is with Ian De Villiers of the South African security firm Sensepost.

Ian recently dropped a couple of interesting SAP security tools at 44con in London and ZACon in South Africa.

SAP makes Enterprise Resource Planning (ERP) solutions... CRM, SCM, PLM... you know, all that three-lettered, thick client enterprise stuff. It's everywhere and as it turns out, one of the only things that has saved it from thorough examination in the past has been the obscurity of its protocol.

Well, Ian, extending the work of Ukranian security guy Dennis Yurichev, has written a couple of tools that will let you play around with SAP software. He's written a protocol decoder, SAPcap, and SAProx, which Ian describes as being like Webscarab for the SAP protocol.

Also this week, Adam Boileau and I have a chat about the week's news, PLUS the latest twists in the First State Superannuation saga.

On this week's show we're delving into a troubling story emerging here in Australia. A local security researcher and consultant, Patrick Webster, has been threatened with criminal and civil prosecution after he disclosed a direct object reference bug in his pension fund's systems.

We'll be discussing this in the news with Adam, then we'll be hearing from First State Superannuation's Chief Executive Michael Dwyer himself!

Also on this week's show I'll be playing part two of my interview with famed hacker Kevin Mitnick. There's a very funny story in there about what happened when I asked him to track down Christopher Boyce, aka the Falcon of the Falcon and the Snowman fame. Boyce is an American who, at the time, had just been released from prison after serving a lengthy sentence for treason.

A big news story over the last week was the Chaos Computer Club's discovery of a piece of malware thought to be used by law enforcement in Germany. Over there, government agencies are allowed to use malware to Intercept internet telephony, but nothing else. As it turns out the trojan was packed with all sorts of extra features that just shouldn't have been there.

We'll be discussing that whole thing in this week's sponsor interview with Markus Hennig -- the co-founder of Astaro, which is now the network security division of Sophos.

Adam Boileau, of course, stops by for this week's news segment.

To subscribe to the Risky Business podcast via iTunes, click here.

This week's feature guest is Kevin Mitnick! Possibly one of the world's best known computer hackers, Kevin has been the subject of several books and even a B-Grade movie. He spent years on the run evading capture by the FBI, eventually winding up in prison for something like five years.

Since his release in January 2000 he's become a successful public speaker, security consultant and author. His latest work, however, is his most well received. Kevin, with writer William L. Simon, has finally written an autobiography, and from nowhere it's become a New York Times bestseller.

I've read it, it's heaps of fun... Kevin will be popping in later in the show to tell us why he's written his biography now... and I get to quiz him on some stuff that's not actually in the book. Hope you'll stick around for that.

This week's show is brought to you by RSA Security so in this week's sponsor interview we chat with Mason Hooper about RSA's investigation into a particularly badass Zeus variant. They actually managed to seize around 200Gb of filtered financial information out of its C&C. That's a fair bit of dataz!

Also, Adam Boileau is back from Europe and rejoins the show to discuss the week's news headlines!

*****WARNING... we use the sh** word a lot in this episode. I have no idea why.

There's no feature interview in this week's show, instead we're focussing on news instead!

And what a week it's been.

Browser makers have slayed the SSL BEAST attacks, Goldman Sachs' CEO got dox'd, as did Sgt. Douchebag of the NYPD. You know the one... he's the guy who maced a bunch of peaceful protestors in the face.

Microsoft even got in on the action and dox'd the operator of the Kelihos botnet!

Meanwhile if you're a Cisco admin you're likely having a tough week, as are the folks at Diebold, who apparently STILL can't make secure e-voting machines.

Also this week, Tenable Network CEO Ron Gula joined us to talk about log analysis. Sounds dry, but it's not. This week's show is, of course, sponsored by Tenable!

This week's feature guest is the head honcho of the Beef Project, NGS Secure's Wade Alcorn.

Wade joins the program to talk about the SSL/TLS flaw that Juliano Rizzo and Thai Duong plan to demonstrate at the Ekoparty security conference. They've found some really nice flaws in TLS 1.0 that mean you can, under some circumstances, when six planets align in the June dawn, extract session cookies from SSL connections.

It's not a bug that marks the end of the world, but it's just a really interesting one so Wade will be along to discuss it.

And this week we check the news headlines with Mark "Longpipes" Piper.

On this week's show we chat with Ruxcon organiser and vulnerability researcher Chris Spencer.

Chris pops by to offer a five percent discount on Ruxcon training to Risky Business listeners, and we also have a quick chat to him about trends in the vulnerability research game.

Chris was popping shells and publishing exploits since the nineties, so he's seen a few things change!

Also this week, RSA's Mason Hooper joins the show for this week's sponsor interview. We ask Mason for his thoughts on a not-particularly-convincing Norton survey report that estimates cybercrime is now bigger than the illegal drugs industry. Ha!

Mark "Longpipes" Piper is this week's news guest. He's filling in while Adam Boileau is in Afghanistan seeking advanced beard grooming tips.

On this week's show we take a look at the security of browser JIT engines with two extremely smart guys: Chris Rohlf and Yan Ivnitskiy of Matasano Security.

They presented a paper in Vegas all about attacking clientside JIT compilers. It's good, old-fashioned security research -- the type of research that's increasingly being withheld from the public these days.

What is a JIT compiler? How does it work? Do they present inherent security problems? Tune in to find out!

This week's show is brought to you by Sophos Network Security. In this week's sponsor interview we're joined by that company's product manager Angelo Comazzetto to discuss network visibility and application aware firewalls.

Normally Adam Boileau joins the show to discuss the week's news, but he's off globetrotting for the next few weeks, so instead his buddy Mark "Longpipes" Piper steps into the news slot to fill in. Thanks Mark!

What a week in information security! Between Kernel.org getting owned, the Iranian Government apparently hacking a Dutch CA to mint around 250 valid certs for stuff like *.google.com and Wikileaks experiencing a spectacular opsec fail, there's plenty to talk about in this week's news segment with Adam Boileau.

In this week's feature interview we speak with Greens Senator Scott Ludlam about the governments proposed Cybercrime Legislation Amendment Bill. There's been a lot of FUD out there on this one and Senator Ludlam joins the show to dispel some myths and discuss some specific improvements the Greens would like to see made to the package of legislation.

This week's sponsor interview is with Ron Gula, CEO of Tenable Network Security.

Ron says some people out there in the market are forming a consensus that preventing attacks is just too hard, and so they're focussing too much on merely detecting compromises. Ron says a balanced approach is better. He joined me by phone to discuss.

* By the way, the company Ron mentions a company named Kyrus. Wasn't very clear in the recording.

This week's feature interview is with anonymous infosec blogger Diocyde.

He has access to some fairly sensitive shit, so we can't tell you his name and we've had to disguise his voice.

Diocyde is best known as the author of the Veiled Shadows blog.

On it, he's written volumes about state-sponsored attacks against the United States. He's tracked who he says are Chinese malware writers and basically doxed them on the blog. He's advocated a hot cyber-war against China to stop that country from continuing to siphon off US-developed intellectual property and intelligence and he's written it all under the influence of pure fury.

Chinese attacks against the USA make this guy angry, as does the idea that attribution in the cyber sphere is difficult.

Interest in Diocyde's blog really took off when links to it popped up in e-mail stolen from HBGary Federal. Things got even more interesting when a few of his posts not only disappeared from the blog, but also disappeared from Google's cache.

In particular, one post titled "Busting the APT can wide open" went missing. It contained a large amount of intelligence on Chinese malware writers.

It was a fascinating read, and it's been completely removed from the Internet.

Doicyde joined me to discuss his blog, the missing posts, Chinese cyber espionage and attribution.

This week's sponsor interview is with RSA Product Manager Jeffery Carpenter.

This week we're chatting to Jeff about RSA's vision for the future of two-factor authentication. Are soft tokens becoming more popular? Is that a problem? What role will mobile device features like NFC play in the 2FA equation in the future?

Also this week, Adam Boileau joins us with the week's news headlines.

You may have heard about Microsoft's Blue Hat Prize for defensive security research. The company is running a contest for the best memory corruption bug mitigation technology. So, if you reckon you've found the next DEP or ASLR, you could be eligible for the company's $200,000 first prize.

It marks a departure from bug bounties -- this is a contest that rewards defensive research, not just new attacks.

There has, however, been a limited but vocal backlash. Security development firm Supreption took to its blog to describe the contest as a "late April Fools joke".

Winners of the contest maintain ownership of their ideas and intellectual property, but Microsoft assumes right to implement any entries it chooses into its operating systems. The guys at Supreption say that means Microsoft is getting way too good a deal for its prizemoney.

The blog claims the PaX team, creators of ASLR, support the company's position.

Microsoft's Katie Moussouris joins the show to face the criticisms and defend the prize.

Adam Boileau, of course, joins the show to discuss the week's news headlines.