Risky Business Podcast

This week's Risky Business was recorded in St Petersburg and edited in London. The gang at Kaspersky antivirus flew me to Russia for their 10th partner conference! Nice!

I got a chance to talk to a stack of AV guys about problems with whitelisting technology. It's showing a lot of promise, but you still can't throw out the blacklists just yet. The future of anti-malware is looking bloody complicated.

Kaspersky anti-virus CEO Eugene Kaspersky and virus analyst Magnus Kalkuhl are on the show to discuss the conundrum.

Also on this week's show we'll talk to our sponsor RSA Security about smart card authentication. With laptops shipping with smart card readers, PKI is looking tantalisingly practical. Who knew that'd ever happen?

No news this week, I'm still on the road.

On this week's show we're talking Web Application firewalls with Jeremiah Grossman. He's the founder and CTO of WhiteHat Security -- and he's also a semi regular guest on Risky Business.

On this week's podcast Jeremiah chats about WAFs, or Web Application firewalls, which he says come in quite handy. Admittedly he's biased, having done some work on WAFs that work with F5 kit, but he provides some pretty compelling arguments as to why these things are assets.

It takes typical organisations around 130 days to fix sequel injection bugs in code. But you can mitigate these sorts of things with a Web app firewall, and you won't even have to deal with the development team! Hooray!

Check Point Software's Steve MacDonald also drops by for this week's sponsor interview, which is about considering allowing staff to bring their own laptops to work.

ZDNet Australia's Munir Kotadia is sick this week, so Kiwicon organiser and Winlockpwn creator Adam Boileau steps in to fill his shoes.

On this week's Risky Business we're taking a look at firmware root kits with John Heasman from the US arm of NGS Software. Some time ago, John figured out how to plonk a root kit on to a PCI device [pdf]. As you can imagine, those sorts of root kits can be very difficult to detect and remove.

But it gets worse.

Newer research, due to be presented at BlackHat in Las Vegas, will show how the CPU on some PCI devices (like the chip on network devices designed to do TCP checksum calculations) can actually be used to run the root kits. That means they never gets loaded into main memory. Try detecting that!

Also on this week's show, Munir Kotadia from ZDNet Australia joins us to discuss the week's news.

Hey hey, Risky Business is up, sponsored this week by the fine folks at Tenable Network Security. On this week's show we speak to counter-surveillance guru Les Goldsmith from ESD Group Australia about extracting data from mobile phones. If you're someone in a sensitive job, you might want to think twice about taking your phone with you to the Beijing Olympics, Goldsmith says.

Risky Business 66 also features part two of our interview with wireless guru Neal Wise of Assurance.com.au. In this week's section Neal discusses 802.11n headaches, companies becoming complacent after implementing 802.1x, bad security in the name of compliance and more.

This week's sponsor guest is Marcus Ranum from Tenable Network Security, who argues penetration tests seldom represent true value.

During the podcast you'll hear Les Goldsmith mention a National Institute of Standard and Technology (NIST) paper on mobile phone forensics. It's here (pdf). You'll also hear Patrick Gray mention Federal Agent Nigel Phair's Pacific Islands Computer Crime and Security Survey. That one's here (pdf).

This week's show is sponsored by Check Point Software and hosted by Vigabyte. In Risky Business 65 we take a look at all things wireless with Assurance.com.au's Neal Wise.

The news of a gaping hole in Microsoft's Bluetooth stack has given the topic some currency, so we brought Neal on the show to talk to us about Bluetooth and 802.11 headaches. Neal conducted this year's wireless workshop at the AusCERT conference on the Gold Coast. (Highlight? Taking his class war driving in the War Bus... some of them were law enforcement types. Chortle.) He goes through some of the funky stuff you can do with Bluetooth in particular, before we have a chat about 802.11 shenanigans.

On this week's show:

• ZDNet Australia's Munir Kotadia discusses the week's news headlines with host Patrick Gray
• Neal Wise of Assurance.com.au talks wireless
• Check Point Software's Steve McDonald pops in for this week's sponsor interview: this one's all about always-on VPNs.

This week's edition of Risky Business is brought to you by RSA Security and hosted by Vigabyte virtual hosting.

There's no news segment in this week's show -- by the time you download this podcast, host Patrick Gray will be climbing a cliff somewhere in southern Thailand thanks to the marvelous wonder that is pre-recording and the time-stamp feature in WordPress.

Nevertheless, this week's show tills some fun ground, including the recent Flash-based exploit doing the rounds in the wild, Cisco rootkits, the hysteria over the potential reverse engineering of an IOS SSH patch, the return of Ruxcon and more.

Guests on this week's show:

• Juniper Networks security boffin Steve Manzuik
• Ruxcon lead organiser Chris Spencer
• RSA Security's Greg Singh pops by in this week's sponsor interview

This week's edition of Risky Business is sponsored by Tenable Network Security and hosted by Vigabyte virtual hosting.

This week we're back to normal programming after attending AusCERT's annual conference last week. In all, the Risky Business crew managed to put up 21 podcasts over five days, featuring interviews and full presentations. Check it out here.

On this week's show, however, we hear from Peter Gutmann. You've heard Peter argue in these podcasts (part 1, part 2) that the idea that hundreds of dedicated open source fans are busy auditing code for security bugs, right now, is fanciful to say the least.

In light of the Debian disaster, we thought we'd touch base with Peter again to see if there's anything that can be done to incentivise the discovery of open source bugs.

Also on this week's show, security legend and Tenable CSO Marcus Ranum joins us in this week's sponsor interview. Marcus joined us to talk about innovation -- or the lack thereof -- in the security industry. It's a case of the same old solutions to the same old problems.

And of course, Munir Kotadia from ZDNet Australia pops in to chew the fat with host Patrick Gray in our regular news segment.

We've added more coverage from AusCERT's 2008 conference. You can download it here.

Day two coverage features interviews and presentations from:

• David Litchfield, NGS Software
• Bill Cheswick, AT&T
• Kimberly Zenz, iDefense's Russia expert
• Colin Whittaker, Head of Security for APACS, the UK payments association

Day one of ITRadio's AusCERT conference coverage is up and ready! You can go to our special AusCERT sub-site to download interviews and presentations. We've already got heaps on the site (www.itradio.com.au/AusCERT08/) for you to go and grab, including an interview with the former technical director of the NSA, Brian Snow.

Click here to visit ITRadio's special AusCERT site...

(UPDATE: H D Moore's PRNG Debian toys can be found here.)

This is a special newsflash edition of Risky Business, posting at 4pm on Wednesday May 14. Most listeners would be aware that a serious bug in Debian's random number generator has been patched overnight. Unfortunately, all keys generated by Debian systems (and by the looks of things Ubuntu systems as well) are completely useless and need to be regenerated.

That means you SSH and SSL content encryption AND authentication has been rendered ineffective. Not only are your server generated keypairs ineffective, any user-generated keypair made with a Debian or Ubuntu box and accepted by an SSH server is vulnerable.

H D Moore is currently working on what sounds like a rainbow table-style attack which will allow him to brute force authentication over SSH in 2.5 to 6 hours. Because of the rainbow table nature of the attack, it also means he can decode intercepted packets in a matter of seconds.

Risky Business spoke to H D Moore via a VoIP line to his mobile phone in Texas, where he's pulling a late night working on this...

UPDATE: Here's a quick script to re-generate your ssh keys, and display the fingerprint (dont forget to update your openssl first!!)

<br/> #!/bin/sh<br/> # debian damn you!<br/> # golden rule "dont write your own crypto - dont modify others!"<br/> # we're trusting /etc/ssh/* are not symlinks, etc etc.<br/> export SSHKEYGEN=/usr/bin/ssh-keygen<br/> export TIMESTAMP=`date +"%Y%m%d%s"` <p>mkdir /etc/ssh/backup 2>/dev/null</p> <p>mv /etc/ssh/ssh_host_rsa_key /etc/ssh/backup/ssh_host_rsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/backup/ssh_host_rsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>mv /etc/ssh/ssh_host_dsa_key /etc/ssh/backup/ssh_host_dsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/backup/ssh_host_dsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>$SSHKEYGEN -l -f /etc/ssh/ssh_host_rsa_key<br/> $SSHKEYGEN -l -f /etc/ssh/ssh_host_dsa_key<br/> </p>