Risky Business Podcast

On this week's show we're joined by semi regular guest Adam Pointon. Adam's the CSO for a financial services company, so he has a fair bit of insight into both security technology and market-based technology. You may have heard by now that investment bank Goldman Sachs has claimed its trading algorithm has been stolen by one of its developers. Why is this a big deal? How would possession of that algorithm be advantageous to an attacker? Adam joins the show to tell us.

We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as you'll hear.

We have a special news guest this week, too -- iDefense cybercrime analyst Kimberly Zenz.

This week's edition of Risky Business is hosted by Vigabyte virtual hosting and brought to you by Check Point.

On this week's show we'll be joined by Gartner analyst Andrew Walls, who's got some less than reassuring things to say about the security of your job in the long term. Apparently the great big destructive meteor, "outsourcing," is about to collide with planet infosec, and when that happens it'll be grim indeed.

We'll also be joined by Steve McDonald, Check Point Australia's Engineering Services Manager, to discuss a softening in the stance of security companies when considering hiring people with a dark past. With guys like Jeff Moss on DHS advisory panels, can we still expect to hear the CEOs of large companies tonking on about how they "don't hire hackers"? Or will they just look a little bit backwards if they do.

Adam Boileau, as usual, joins the show to discuss the week's news stories.

This week we're taking a look at the technology angle to this whole mess in Iran. We'll be chatting with Arbor Networks chief scientist Craig Labovitz about the filtering the government is doing over there, then we'll be checking in with Roelof Temmingh of Paterva.

Paterva makes Maltego, the open source intelligence tool that many people are using to analyse various aspects of information flow in Iran-- including the spread of propaganda via Twitterbots.

We'll also be hearing from Microsoft's Stuart Strathdee in this week's sponsor interview. He'll be joining us to discuss the company's free Morro antivirus package -- it's software that probably had more anti-trust lawyers involved in its development than actual developers.

Adam Boileau also joins us with the week's news.

Editor's note: We're aware that Roelof's name is mispelled in the headline, but if we change it, it'll break the current URL and cause drama. So we'll leave it for now. But yes, his last name is spelled Temmingh, not Temming. Apologies.

This week's show is a cracker -- we have a very special guest, Senator Stephen Conroy.

The senator is Australia's Minister for Broadband, Communications and the Digital Economy and I caught up with him in Sydney last week to get his take on what he feels the role of government is when it comes to IT security.

We're also joined by Sydney-based security consultant Jason Edelstein who'll be chatting about telephone-related fraud. US authorities have just busted up a massive ring of phone fraudsters with links to Islamic fundamentalists, of all people. Over a period of years they hacked into more than 2500 systems and resold access via calling cards.

Apparently that netted them an estimated $55 million, which is certainly better than a kick in the proverbials.

We'll also check in with Stuart Strathdee from Microsoft. Stu's popping in to talk about 0day. There have been some really scary 0day bugs in Microsoft products lately, and Stuart pops by with his take on the situation.

He argues that office 0days are actually pretty far down on the ye olde risk register.

And of course we check of the week's news headlines with our good friend Adam 'Metlstorm' Boileau!

If you'd like to leave us some audio feedback, to be used in the Risky Business podcast, call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

This week's episode is hosted by Vigabyte and brought to you by Tenable Network Security.

On this week's show we're looking back at an issue we covered a little while ago: PLAID. No, not the oh-so-groovy pattern, but Centrelink's home-baked authentication protocol.

PLAID is a contactless smart card authentication protocol designed by Australia's welfare agency and released a couple of months ago. They're hoping to have it recognised as an ISO standard, but not everyone's convinced that's a good idea.

We'll be hearing from the University of Auckland's Peter Gutmann. He's a bit of a rockstar in the smart card and crypto fields, and he's had a look at the supporting documentation released by Centrelink and isn't too impressed.

It might sound like an Australia-centric story, but it's not. This is a fascinating case-study-in-progress for anyone considering doing this sort of wheel reinvention project.

In this week's sponsor segment we chat to Marcus Ranum about the liability chain when data leaks.

Securus Global's Declan Ingram joined host Patrick Gray at the pub to discuss the week's news headlines. Sorry about the background noise!

This week's show is hosted by Vigabyte and brought to you by Sophos.

On this week's show we chat to an industry pioneer, Nir Zuk. He's widely credited as the creator of the first stateful inspection firewall.

These days he works for the company he founded, Palo Alto Networks. We're chatting to Nir about his thoughts on security technologies -- everything from firewalls to IDS to DLP.

Nir is a very sharp cat indeed, with a lot to say about the direction security tech is headed. He tends to push his own agenda a bit in terms of talking up his firewall approach, but he has heaps of interesting stuff to say on other topics.

In this week's sponsor interview we chat with Paul Ducklin about an old debate -- is open source better for security? It was a topic we touched on briefly in the AusCERT speed debate, which, incidentally, is available for download in our Risky Business 2 channel. We both thought it was a topic worth expanding on. It's an interesting chat and it's coming up soon.

Adam Boileau is the week's news guest.

This week's episode is hosted by Vigabyte and brought to you by Check Point software.

This week you'll be hearing an interview with Roelof Temmingh, the creator of Maltego. Maltego is seriously cool software that you'll probably want to have a play with.

Roelof joins the podcast to talk about how you'd use his softeware to pwn a three letter agency.

In this week's sponsor interview Check Point Software's Steve McDonald joins us to discuss how vendors might create very specific kit for very specific problems. Think of SCADA firewalls and boxes designed to prevent voip toll fraud, stuff like that.

Are mega specific solutions a band aid approach and a terrible idea, or are they better than nothing?

As for this week's news, we all know him, we all love him and his beautiful, lusturous, soft, soft UNIX beard. Adam 'Metlstorm' Boileau joins the program, as usual, to chew the fat and discuss the last week's big headlines.

This week's podcast is hosted by Vigabyte virtual hosting and sponsored by Tenable Network Security.

Risky Business 108 takes a look at the SDL as it applies to web applications. White Hat Security's Jeremiah Grossman joins the program to argue secure code, in the case of web applications, isn't necessarily cheaper code. It sounds like heresy, but Grossman makes some pretty compelling points during his interview.

Adam Boileau joins us to discuss the news headlines, and this week's sponsor interview is with Tenable Network Security's CSO Marcus Ranum. This week we talk to Ranum about the ridiculousness of the credit card transaction model.

NEWS ITEMS DISCUSSED THIS WEEK:

Researchers Hack Web Application Firewalls

PowerPoint gets hefty fix, Apple inundates
Cyber attack could bring U.S. military response

Microsoft patches critical PowerPoint hole

UC Berkeley computers hacked, 160,000 at risk

Porn name game - is it fun or a live Phishing exercise?

Report: Hackers broke into FAA air traffic control systems

Pirated Windows 7 OS Comes With Trojan, Builds A Botnet

Heartland Breach Cost Company $12.6 Million So Far

Thanks to our sponsor Sophos, this week's edition of the Risky Business podcast is ready to download!

This week's feature interview is pretty kickass; a chat with security megalegend Mark Dowd. We talk to Mark about his entry in Google's Native Client security competition. It's very interesting stuff that could really have implications for your job in a few years.

Sean Richmond, who works for Sophos in Sydney, will be along in this week's sponsor interview to discuss the PDF format. We ask Sean why PDF readers like Acrobat Reader have been pretty bug prone lately.

Adam Boileau is this week's news guest.

Here's a list of the stories Adam and I discussed this week:

Feds' red tape left medical devices infected with computer virus, by Stephanie Condon

Twitter's network gets breached again, By Elinor Mills

MI6 Nixed Major Undercover Operation After Memory Stick Lost, by Kim Zetter

Microsoft Offers Secure Windows... But Only to the Government, by Kim Zetter

Epic Failure from McAfee (Also see McAfee Gets Worked. Hard.)

Over 8M Virginian patient records held to ransom, 30 Apr 2009, from Wikileaks.

Don't forget -- if you have any feedback on this week's show call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free). We'll play your feedback in next week's show.

This week's edition of Risky Business is brought to you by Tenable Network Security and hosted by Vigabyte virtual hosting at discounted rates.

We've got a great show this week. Australia's welfare agency, Centrelink, has written its own smart card authentication protocol and it's released it to the public. It's called PLAID and the plan is to have it recognised an ISO standard. It's an extremely ambitious project and Centrelink's smart card architect Glenn Mitchell will be along to talk about it.

We also chat to Tenable Network Security's Marcus Ranum in this week's sponsor interview. We spoke about the recent hysteria around Chinese hackers apparently downloading the plans for America's Join Strike Fighter.

Freelance security dude Adam "Metlstorm" Boileau is this week's news guest.

We'd like to hear your thoughts on PLAID, too. Do you think it's a waste of time and taxpayer money or a masterstroke? Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)... or go to the risky.biz forums.