Risky Business Podcast

On this week's show have a chat about critical infrastructure. The Auditor General in the state of Victoria has released a 56 page report into an investigation is conducted into the security of transport and water-infrastructure control systems.

It found the security of four of the five facilities reviewed was substantially lacking. Reading the report you can tell that the bureaucrats who wrote it were having heart palpitations by the time they were done with their investigation.

The NSA's former technical director of information assurance, Brian Snow, was kind enough to read the report summary and he joins us to share his thoughts.

In this week's sponsor interview we chat with Microsoft Australia's Chief Security Advisor Stuart Strathdee about that software maker's renewed push to encourage ISPs to take action against infected machines on their network. Stu will join us to explain why Microsoft is beating that particular drum again.

Adam Boileau, as always, joins us to discuss the week's news.

NOTE: The original post accidentally linked through to episode 169 -- fixed now!

In this week's feature interview we'll be taking a look at a proposed bill in the USA that would see all software companies having to build a lawful interception capability into their products. Basically the feds in the USA would like to be able to tap Skype, Blackberrys, OTR instant messenger and so on.

And we've got the perfect guest to discuss this with -- Alastair MacGibbon. A 15-year veteran of Australia's federal police and the founding director of the AFP's high tech crime centre, MacGibbon left that job to work as eBay Australia's director of Trust and Safety when eBay owned Skype.

These days he's doing his own thing under the name Surete Group.

In this week's sponsor slot we're joined by Vitaly Kamlyuk of Kaspersky Lab in Japan. He's grumpy! He's not pleased! A security researcher in the USA published a nice big detailed blog post the other day in which he described some vulnerabilities he'd found in the Zeus botnet C&C server software.

Some in the security research community believe that disclosure was irresponsible and Vitaly is one of them. We'll hear from him after this week's feature.

As always, Adam Boileau joins us to discuss the week's news.

This week's feature is a chat with industry legend Dan Geer about Stuxnet. The more we find out about Stuxnet the more it looks like something ripped out of a spy thriller. It used four 0day bugs, two stolen code signing keys and infected a bunch of systems in Iran.

Speculation that the worm was targeting specific facilities in Iran has grown over the last week and we'll see what Dan thinks about that.

Adam Boileau joins us to discuss the week's news and Tenable Network Security chief executive Ron Gula pops in for this week's sponsor interview.

This week you'll hear from McAfee CEO Dave DeWalt and CTO George Kurtz. Since the planned merger between Intel and McAfee, a lot of people have questioned the deal's logic. DeWalt and Kurtz front Risky Business to defend the acquisition and outline what it could mean for the security technology of the future.

Microsoft has signed back on as a sponsor for the remainder of the year, and Microsoft Australia's Stuart Strathdee makes his return to the sponsor slot this week to tell us about IE9, which sounds suspiciously like IE8 in a pretty frock... or more accurately like IE8 in a bikini.

Adam Boileau joins us as usual to discuss the week's news.

On this week's show we're taking a look at Flash applications. With tonnes of thick client apps being replaced with apps built on Flash, we thought we'd have a chat to Azimuth Security's Alex Kouzemtchenko about what some of the pitfalls in developing Flash apps are.

This week's edition of the show is brought to you by Symantec, and we're stoked to have that company's CTO, Marc Bregman, on the show for this week's sponsor interview. He's an interesting guy and he's got a lot to say, not surprisingly, about where we're all headed as an industry in light of the McAfee Intel deal.

Adam Boileau, as usual, drops in to discuss the week's news.

On this week's show we're chatting with F-Secure's Jarno Niemela about some of the issues with Authenticode. He'll tell us about one fascinating case where a piece of malware actually carried a valid signature from a real company... stolen keys, right? As it turned out, that company didn't make software and had no idea what an Authenticode cert actually was. Jarno got to the bottom of that little mystery and tells us all about it after the news with Adam Boileau.

In this week's sponsor interview we're chatting with Tenable Network Security's CSO Marcus Ranum about a new project being run by DARPA, the US Defence Advanced Research Projects Agency.

The project is called CINDER and it's all about detecting rogue insider behaviour. It has potential to be a VERY interesting project, and Marcus shares his thoughts on it.

Here's a link to Jarno's CARO conference slides [pdf].

In this week's show we take a look at all the big news events over the last week. A newly rediscovered DLL hijacking technique has made some waves over the last seven days, as has the arrest in India of an e-voting machine security researcher.

Adam Boileau joins the program to discuss those items and others in this week's news segment.

In this week's feature interview we take a detailed look at Intel's decision to acquire security software maker McAfee for USD$7.68 billion. What is the reaction among analysts and the wider market?

Neohapsis CTO Greg Shipley and Gartner's Rob McMillan join the program to discuss.

This week's sponsor interview is with Ed Curtis from Research in Motion. He pops in to talk about different approaches to the mobile security problem. Should we even bother with IDSing mobile environments? Curtis says yes!

This week's guest is Felix "FX" Lindner. A well known researcher, FX has spent more than his fair share of time crawling around the innards of Blackberry devices.

He joins us this week to discuss the hubbub about lawful interception and Blackberry devices -- how resistant to wiretapping are they? What's the OS security like? What's the encryption scheme like?

As it turns out, the Blackberry holds up pretty well on most fronts, but FX fears law enforcement and intelligence agencies may start exploiting the baseband chipsets on mobile devices in order to intercept the data they carry.

It's a cracker interview.

We stick with the mobile theme in this week's sponsor interview, asking Symantec's Vincent Weafer why that company is focussing its development efforts on the Android platform. What makes Symantec so confident that Android will become the platform of attackers' choice?

Lateral Security's Adam Boileau pops in to discuss the week's news, including the "holy crap" news that McAfee is to be acquired by Intel for a figure appraoching USD$8b. WTC?!

Here's the Blackberry whitepaper mentioned in the show.

This week's show is a cracker -- we're joined by IOActive's Barnaby Jack.

He made some major waves at BlackHat this year by demonstrating his attacks on ATMs.

He joins the show to discuss his research and talk about why his talk -- which was originally scheduled for last year's BlackHat conference -- was cancelled last year.

Kaspersky Lab's Vitaly Kamlyuk is this week's sponsor guest. He joins us to discuss what AV companies can do to detect some of the more exotic malware out there such as Stuxnet.

Adam Boileau, as always, checks in with the week's news headlines.

On this week's show chat to H D Moore about his research into the security -- or lack thereof -- of the VxWorks embedded operating system.

H D did a presentation at the Security B-Sides event that ran concurrently with Black Hat in Las Vegas. As it turns out VxWorks is used in a lot of places and the people who put it together suck at maths.

People who suck at maths write bad hashing algos. Really.

We'll also have a chat with Ron Gula of Tenable Network Security in this week's sponsor interview, and of course, Adam Boileau stops by for a chat about the week's news headlines.