Risky Business Podcast

Hey hey, Risky Business is up, sponsored this week by the fine folks at Tenable Network Security. On this week's show we speak to counter-surveillance guru Les Goldsmith from ESD Group Australia about extracting data from mobile phones. If you're someone in a sensitive job, you might want to think twice about taking your phone with you to the Beijing Olympics, Goldsmith says.

Risky Business 66 also features part two of our interview with wireless guru Neal Wise of Assurance.com.au. In this week's section Neal discusses 802.11n headaches, companies becoming complacent after implementing 802.1x, bad security in the name of compliance and more.

This week's sponsor guest is Marcus Ranum from Tenable Network Security, who argues penetration tests seldom represent true value.

During the podcast you'll hear Les Goldsmith mention a National Institute of Standard and Technology (NIST) paper on mobile phone forensics. It's here (pdf). You'll also hear Patrick Gray mention Federal Agent Nigel Phair's Pacific Islands Computer Crime and Security Survey. That one's here (pdf).

This week's show is sponsored by Check Point Software and hosted by Vigabyte. In Risky Business 65 we take a look at all things wireless with Assurance.com.au's Neal Wise.

The news of a gaping hole in Microsoft's Bluetooth stack has given the topic some currency, so we brought Neal on the show to talk to us about Bluetooth and 802.11 headaches. Neal conducted this year's wireless workshop at the AusCERT conference on the Gold Coast. (Highlight? Taking his class war driving in the War Bus... some of them were law enforcement types. Chortle.) He goes through some of the funky stuff you can do with Bluetooth in particular, before we have a chat about 802.11 shenanigans.

On this week's show:

• ZDNet Australia's Munir Kotadia discusses the week's news headlines with host Patrick Gray
• Neal Wise of Assurance.com.au talks wireless
• Check Point Software's Steve McDonald pops in for this week's sponsor interview: this one's all about always-on VPNs.

This week's edition of Risky Business is brought to you by RSA Security and hosted by Vigabyte virtual hosting.

There's no news segment in this week's show -- by the time you download this podcast, host Patrick Gray will be climbing a cliff somewhere in southern Thailand thanks to the marvelous wonder that is pre-recording and the time-stamp feature in WordPress.

Nevertheless, this week's show tills some fun ground, including the recent Flash-based exploit doing the rounds in the wild, Cisco rootkits, the hysteria over the potential reverse engineering of an IOS SSH patch, the return of Ruxcon and more.

Guests on this week's show:

• Juniper Networks security boffin Steve Manzuik
• Ruxcon lead organiser Chris Spencer
• RSA Security's Greg Singh pops by in this week's sponsor interview

This week's edition of Risky Business is sponsored by Tenable Network Security and hosted by Vigabyte virtual hosting.

This week we're back to normal programming after attending AusCERT's annual conference last week. In all, the Risky Business crew managed to put up 21 podcasts over five days, featuring interviews and full presentations. Check it out here.

On this week's show, however, we hear from Peter Gutmann. You've heard Peter argue in these podcasts (part 1, part 2) that the idea that hundreds of dedicated open source fans are busy auditing code for security bugs, right now, is fanciful to say the least.

In light of the Debian disaster, we thought we'd touch base with Peter again to see if there's anything that can be done to incentivise the discovery of open source bugs.

Also on this week's show, security legend and Tenable CSO Marcus Ranum joins us in this week's sponsor interview. Marcus joined us to talk about innovation -- or the lack thereof -- in the security industry. It's a case of the same old solutions to the same old problems.

And of course, Munir Kotadia from ZDNet Australia pops in to chew the fat with host Patrick Gray in our regular news segment.

We've added more coverage from AusCERT's 2008 conference. You can download it here.

Day two coverage features interviews and presentations from:

• David Litchfield, NGS Software
• Bill Cheswick, AT&T
• Kimberly Zenz, iDefense's Russia expert
• Colin Whittaker, Head of Security for APACS, the UK payments association

Day one of ITRadio's AusCERT conference coverage is up and ready! You can go to our special AusCERT sub-site to download interviews and presentations. We've already got heaps on the site (www.itradio.com.au/AusCERT08/) for you to go and grab, including an interview with the former technical director of the NSA, Brian Snow.

Click here to visit ITRadio's special AusCERT site...

(UPDATE: H D Moore's PRNG Debian toys can be found here.)

This is a special newsflash edition of Risky Business, posting at 4pm on Wednesday May 14. Most listeners would be aware that a serious bug in Debian's random number generator has been patched overnight. Unfortunately, all keys generated by Debian systems (and by the looks of things Ubuntu systems as well) are completely useless and need to be regenerated.

That means you SSH and SSL content encryption AND authentication has been rendered ineffective. Not only are your server generated keypairs ineffective, any user-generated keypair made with a Debian or Ubuntu box and accepted by an SSH server is vulnerable.

H D Moore is currently working on what sounds like a rainbow table-style attack which will allow him to brute force authentication over SSH in 2.5 to 6 hours. Because of the rainbow table nature of the attack, it also means he can decode intercepted packets in a matter of seconds.

Risky Business spoke to H D Moore via a VoIP line to his mobile phone in Texas, where he's pulling a late night working on this...

UPDATE: Here's a quick script to re-generate your ssh keys, and display the fingerprint (dont forget to update your openssl first!!)

<br/> #!/bin/sh<br/> # debian damn you!<br/> # golden rule "dont write your own crypto - dont modify others!"<br/> # we're trusting /etc/ssh/* are not symlinks, etc etc.<br/> export SSHKEYGEN=/usr/bin/ssh-keygen<br/> export TIMESTAMP=`date +"%Y%m%d%s"` <p>mkdir /etc/ssh/backup 2>/dev/null</p> <p>mv /etc/ssh/ssh_host_rsa_key /etc/ssh/backup/ssh_host_rsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/backup/ssh_host_rsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>mv /etc/ssh/ssh_host_dsa_key /etc/ssh/backup/ssh_host_dsa_key-$TIMESTAMP<br/> mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/backup/ssh_host_dsa_key.pub-$TIMESTAMP<br/> $SSHKEYGEN -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C "" < /dev/null > /dev/null 2> /dev/null</p> <p>$SSHKEYGEN -l -f /etc/ssh/ssh_host_rsa_key<br/> $SSHKEYGEN -l -f /etc/ssh/ssh_host_dsa_key<br/> </p>

This week's Risky Business podcast is brought to you by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

In this week's show we speak to one of the pioneers of cash-for-vulnerability business practices -- David Endler. He's the director of TippingPoint's DVlabs and the founder and chairman of the VoIP Security Alliance. He popped by to talk about the latest trends in bug shopping.

Of particular interest is what Endler has to say about buying bugs in software-as-a-service applications like Salesforce.com. While TippingPoint would look at buying vulnerabilities in online applications, he doesn't want to be seen to be encouraging any law breaking. It's a bind!

On this week's podcast:

• ZDNet Australia editor Munir Kotadia discusses the week's news with host Patrick Gray
• TippingPoint DVlabs director David Endler discusses the market for software as a service bugs
• Check Point's Steve MacDonald drops by to share his perspective on recent comments made by RSA Security's president Art Coviello in this week's sponsor interview

McAfee is the sponsor of this, the greatest episode of Risky Business in the history of the universe. Big thanks!Not only does this week's podcast feature security legend H D Moore discussing his evil creation -- an Eee PC that sucks passwords out of the atmosphere, black hole style -- but RSA president Art Coviello drops by to share his not-so-happy thoughts on Bruce Schneier.On this week's podcast:

• ZDNet Australia's Munir Kotadia joins us for this week's news headlines.
• Security super-boffin H D Moore joins us to talk about his contribution to wireless mayhem
• Art Covellio, president of RSA, pops by to rip popular security commentor Bruce Schneier a new one
• David Marcus from McAfee's US-based Avert Labs marks the 30th anniversary of spam and talks about the company's global spam experiment

NOTE:\xa0I'm\xa0on the road this week and had to record some of this week's show from his mate's living room in Maroubra. It may echo like a cave, but it's actually quite a nice place... News this week was recorded with Skype. Sorry about the crap quality. -- Pat

This week's Risky Business is an absolute cracker. Big thanks to sponsor RSA for paying our bills this week, and to Vigabyte for hosting our site.

We have two great guests on this week's show. Mark Dowd popped along to discuss his paper on NULL pointer dereferences. His research -- which included uncovering a very, very nasty bug in Flash -- has created quite a stir in the security community. In this interview Mark tells us there could be more exploitable NULL pointer bugs around the corner... and he also hints that he's about to make the Microsoft security team quite unhappy.

The second feature spot on this week's show is an exclusive interview with Simon Howard. Last Friday he announced a new competition at DEFCON -- The Race To Zero. Entrants have to modify virus code to sneak it past scanners. The whole thing's designed as a gigantic piss-take on AV. Not surprisingly, some AV companies have made Howard out as some sort of devil-worshipping cyber-terrorist. You know you're in trouble when the most informed commentary on your initiative is taking place on Slashdot, so Simon popped in to defend the competition.

On this week's security podcast:

• Patrick Gray and ZDNet Australia editor Munir Kotadia discuss the week's news
• Race To Zero organiser Simon Howard defends the competition
• Security superstar, mega-genius and lovely bloke Mark Dowd takes time out from pwning everything on the planet to discuss his most recent research
• RSA's Greg Singh stops by in this week's sponsor interview. The topic is DLP