Risky Business Podcast

We've added more coverage from AusCERT's 2008 conference. You can download it here.

Day two coverage features interviews and presentations from:

• David Litchfield, NGS Software
• Bill Cheswick, AT&T
• Kimberly Zenz, iDefense's Russia expert
• Colin Whittaker, Head of Security for APACS, the UK payments association

Day one of ITRadio's AusCERT conference coverage is up and ready! You can go to our special AusCERT sub-site to download interviews and presentations. We've already got heaps on the site (www.itradio.com.au/AusCERT08/) for you to go and grab, including an interview with the former technical director of the NSA, Brian Snow.

Click here to visit ITRadio's special AusCERT site...

(UPDATE: H D Moore's PRNG Debian toys can be found here.)

This is a special newsflash edition of Risky Business, posting at 4pm on Wednesday May 14. Most listeners would be aware that a serious bug in Debian's random number generator has been patched overnight. Unfortunately, all keys generated by Debian systems (and by the looks of things Ubuntu systems as well) are completely useless and need to be regenerated.

That means you SSH and SSL content encryption AND authentication has been rendered ineffective. Not only are your server generated keypairs ineffective, any user-generated keypair made with a Debian or Ubuntu box and accepted by an SSH server is vulnerable.

H D Moore is currently working on what sounds like a rainbow table-style attack which will allow him to brute force authentication over SSH in 2.5 to 6 hours. Because of the rainbow table nature of the attack, it also means he can decode intercepted packets in a matter of seconds.

Risky Business spoke to H D Moore via a VoIP line to his mobile phone in Texas, where he's pulling a late night working on this...

UPDATE: Here's a quick script to re-generate your ssh keys, and display the fingerprint (dont forget to update your openssl first!!)

<br/> #!/bin/sh<br/> # debian damn you!<br/> # golden rule "dont write your own crypto - dont modify others!"<br/> # we're trusting /etc/ssh/* are not symlinks, etc etc.<br/> export SSHKEYGEN=/usr/bin/ssh-keygen<br/> export TIMESTAMP=`date +"%Y%m%d%s"` <p>mkdir /etc/ssh/backup 2>/dev/null</p> <p>mv /etc/ssh/ssh_host_rsa_key /etc/ssh/backup/ssh_host_rsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/backup/ssh_host_rsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>mv /etc/ssh/ssh_host_dsa_key /etc/ssh/backup/ssh_host_dsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/backup/ssh_host_dsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>$SSHKEYGEN -l -f /etc/ssh/ssh_host_rsa_key<br/> $SSHKEYGEN -l -f /etc/ssh/ssh_host_dsa_key<br/> </p>

This week's Risky Business podcast is brought to you by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

In this week's show we speak to one of the pioneers of cash-for-vulnerability business practices -- David Endler. He's the director of TippingPoint's DVlabs and the founder and chairman of the VoIP Security Alliance. He popped by to talk about the latest trends in bug shopping.

Of particular interest is what Endler has to say about buying bugs in software-as-a-service applications like Salesforce.com. While TippingPoint would look at buying vulnerabilities in online applications, he doesn't want to be seen to be encouraging any law breaking. It's a bind!

On this week's podcast:

• ZDNet Australia editor Munir Kotadia discusses the week's news with host Patrick Gray
• TippingPoint DVlabs director David Endler discusses the market for software as a service bugs
• Check Point's Steve MacDonald drops by to share his perspective on recent comments made by RSA Security's president Art Coviello in this week's sponsor interview

McAfee is the sponsor of this, the greatest episode of Risky Business in the history of the universe. Big thanks!Not only does this week's podcast feature security legend H D Moore discussing his evil creation -- an Eee PC that sucks passwords out of the atmosphere, black hole style -- but RSA president Art Coviello drops by to share his not-so-happy thoughts on Bruce Schneier.On this week's podcast:

• ZDNet Australia's Munir Kotadia joins us for this week's news headlines.
• Security super-boffin H D Moore joins us to talk about his contribution to wireless mayhem
• Art Covellio, president of RSA, pops by to rip popular security commentor Bruce Schneier a new one
• David Marcus from McAfee's US-based Avert Labs marks the 30th anniversary of spam and talks about the company's global spam experiment

NOTE:\xa0I'm\xa0on the road this week and had to record some of this week's show from his mate's living room in Maroubra. It may echo like a cave, but it's actually quite a nice place... News this week was recorded with Skype. Sorry about the crap quality. -- Pat

This week's Risky Business is an absolute cracker. Big thanks to sponsor RSA for paying our bills this week, and to Vigabyte for hosting our site.

We have two great guests on this week's show. Mark Dowd popped along to discuss his paper on NULL pointer dereferences. His research -- which included uncovering a very, very nasty bug in Flash -- has created quite a stir in the security community. In this interview Mark tells us there could be more exploitable NULL pointer bugs around the corner... and he also hints that he's about to make the Microsoft security team quite unhappy.

The second feature spot on this week's show is an exclusive interview with Simon Howard. Last Friday he announced a new competition at DEFCON -- The Race To Zero. Entrants have to modify virus code to sneak it past scanners. The whole thing's designed as a gigantic piss-take on AV. Not surprisingly, some AV companies have made Howard out as some sort of devil-worshipping cyber-terrorist. You know you're in trouble when the most informed commentary on your initiative is taking place on Slashdot, so Simon popped in to defend the competition.

On this week's security podcast:

• Patrick Gray and ZDNet Australia editor Munir Kotadia discuss the week's news
• Race To Zero organiser Simon Howard defends the competition
• Security superstar, mega-genius and lovely bloke Mark Dowd takes time out from pwning everything on the planet to discuss his most recent research
• RSA's Greg Singh stops by in this week's sponsor interview. The topic is DLP

This week's show is brought to you by Tenable Network Security and hosted, as always, by Vigabyte virtual hosting.

On this week's show Risky Business guest Jeremiah Grossman -- Whitehat Security founder and blogger -- discusses Cross Site Request Forgery attacks with host Patrick Gray. CSRF attacks are no longer a lab attack folks, they're in the wild. Jeremiah shares his insights with us.

Infosec fixture Ron Gula, the co-founder and CTO of Tenable Network Security, pops by in this week's sponsor interview to discuss his company's moves into the SIEM market and recap the company's move to take Nessus closed source. It's been a few years since that happened -- how did it all end up?

In this week's news segment, Patrick Gray rants about the Australian media's God-awful reporting of sensible comments made by Attorney-General Robert McClelland. The sensationalist tabloid bug is evidently contagious, because it's been sweeping the Aussie media over the last week.

On this week's podcast:

• Patrick Gray discusses the week's news and beatups with Munir Kotadia
• Jeremiah Grossman talks CSRF
• Ron Gula of Tenable Network Security pops in for this week's sponsor interview

This week's Risky Business episode is sponsored by Check Point Software and hosted by Vigabyte virtual hosting. On this week's show we're looking at the latest phishing scam to target advertisers on Australia's largest jobs website, Seek. We'll also take a look at mobile security with our "mystery CSO" Adam Pointon before checking in with our sponsor to chat about drive-by downloads.

On this week's security podcast:

• ZDNet Australia editor Munir Kotadia joins host Patrick Gray to discuss the week's news
• Pure Hacking's Chris Gatford pops in for a quick chat about Seek's phishing woes
• Adam Pointon talks mobile security -- should we believe the hype?
• In this week's sponsor interview Jordy Berson from Check Point in the USA talks drive-by download prevention

This week's Risky Business is sponsored by McAfee and hosted by Vigabyte virtual hosting. The feature topic this week is negative Search Engine Optimisation (SEO) -- how the bad guys are damaging your company's search engine rankings.

On today's podcast:

• Munir Kotadia from ZDNet Australia discusses the week's news
• Roberto Suggi Liverani of Security-Assessment.com talks negative SEO
• Nishad Herath from McAfee joins us for this week's sponsor interview

This week's podcast is sponsored by RSA Security and hosted by Vigabyte. With the prize money at CanSecWest's PWN2OWN competition hitting $20k, we thought we'd take a look at the vulnerability marketplace. Are the days of full and free disclosure over? Insomnia Security's Brett Moore joins us to talk about it.

Risky Business also caught up with AusCERT's Mark McPherson. While AusCERT is putting on an executive program at its conference this year, we had to ask if security really is a boardroom issue.

In this week's sponsor interview RSA's Geoff Noble talks 2FA -- apparently tokens and SMS are old hat.

On this week's show:

• ZDNet Australia editor Munir Kotadia discusses the week's headlines
• Insomnia Security founder, vulnerability researcher and penetration tester Brett Moore discusses bug disclosure -- why give away for free what you can sell to TippingPoint?
• AusCERT's Mark McPherson talks about security in the boadroom and the group's executive program
• In this week's sponsor interview, RSA Security's Geoff Noble looks at multi-factor authentication -- what's after tokens?