Is IOS 4.x enterprise ready? Well, maybe...
August 12th, 2011 --
In this week's feature interview we're chatting with Dino A Dai Zovi about Mac security -- Dino's well known as a Mac hacker and he's just done a BlackHat talk in which he evaluated Apple's IOS 4.x operating system for enterprise suitability. How did it stack up? Find out after the news! Also this week we check in with Sophos Network Security director of support Alan Toews about Moxie Marlinspike's latest work, an alternative way of doing SSL certificates that completely does away with CAs. That's this week's sponsor interview. Adam Boileau, of course, joins us for this week's news.
How a McAfee "research paper" turned into a media circus...
August 5th, 2011 --
On this week's show we're taking a look at the most devastating state sponsored planet melting, child eating APT the world has ever seen... according to Gizmodo it's the BIGGEST CYBER ATTACK IN HISTORY. Ummm... actually no, it's a fairly unsophisticated botnet comprising of 70 targeted infections.
Authorities scoop up Topiary, "Evil"...
July 28th, 2011 --
This week we're chatting with Detective Superintendent Brad Marden of the Australian Federal Police. While the FBI are out locking up Low Orbit Ion Cannon users on no-bail warrants, Mr. Marden and his team, apparently, are out doing real, actual police work to catch real, alleged criminals. How refreshing! Listeners to this program would have heard of the case of Distribute.IT -- an Australian domain name registrar and hosting company that got majorly worked by a hacker calling himself "Evil from efnet".
LulzSec makes a spectacular return. PLUS Silvio Cesare talks academia.
July 22nd, 2011 --
In this week's feature interview we're chatting with Silvio Cesare. Silvio's an extremely well regarded infosec guy down here in Oz. He'll be chatting to us about his experience in academia. Silvio argues much criticism of academia in industry largely misses the point, and academia actually serves infosec quite well. Cryptography anyone?
Are authorities misleading us or are they actually this stupid?
July 20th, 2011 --
As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions. The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS". So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right? Wrong.
Did you hear the one about Sony's CAPTCHA?
July 15th, 2011 --
This week's show is all about the news -- a 30 minute dose of Metl! With Anons being arrested, parties unknown pwning defence contractors in the name of #antisec, Sony doing (even more) dumb stuff, Zeus-grade viruses smashing Android devices, India trying to wiretap Skype, support for XP running out in less than three years, Microsoft Security Centre dishing out porn and Morgan Stanley losing customer info on unencrypted disks, we just didn't have time for a feature interview this week!
It's all very cypherpunk, innit?
July 8th, 2011 --
This week's edition of the show is brought to you by Tenable Network Security, thanks guys. In this episode we're taking an in depth look at BitCoins. Most listeners would have heard of the fledgling online currency by now, but there are a number of things that make BitCoins extremely interesting. It's the world's first popular virtual, cryptographically supported commodity, and once you wrap your head around it, it's very cool stuff, regardless of whether or not you think it has a future. I'll be joined by regular guest Paul Ducklin to talk about BitCoin, after the news.
Bulletins prematurely released on evening of July 4, USA time...
July 5th, 2011 --
AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today. The accidental disclosure comes as the United States celebrates the evening of July 4, its independence day. The bulletin was supposed to be issued on the morning of July 6, US time. Instead, it was mailed to AusCERT's subscribers a short time ago.
Yoda says: Leave your database online you should not. Hmmmmmmm?
June 30th, 2011 --
Episode 200 FTW! In this week's feature interview we'll be chatting with Daniel Grzelak. Dan's the founder of -- and interesting little website that pulls together compromised information and lets you see if you've been affected. Dan was searching Google for .sql files that had inadvertently been made accessible online and indexed... aaaaand he found the entire database for Groupon India including plaintext passwords FOR THE LOSE!!! He'll be telling us all about that after the news.
Dude where's my .sql?
June 28th, 2011 --
The entire user database of Groupon's Indian subsidiary was accidentally published to the Internet and indexed by Google. The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail".
A chat with Jason Scott of
June 23rd, 2011 --
Put on your Hypercolor t-shirts and Swatch watches, because this week's show features an interview with Jason Scott, the founder of If you don't remember the BBS scene in the late 80s or early nineties, well, that doesn't matter; Jason has archived all of the quirky stuff that made the BBS scene what it was back then. [ED NOTE: CONTAINS EXPLICIT LANGUAGE (MISSED SOME EDITS)]
Documentary producers seeking sources to discuss early 90's Melbourne scene...
June 22nd, 2011 --
A documentary crew are looking to interview people who remember the Melbourne BBS and hacking scene in the late 1980s, early 1990s. They're coming to Melbourne in a few weeks to film. I've seen one of their documentaries before: Enron: The Smartest Guys in the Room, and it was pretty good. I've had a chat with the producers and it seems unlikely to me that the docco will be a hatchet job. That said, I don't know these guys from a bar of soap, I can't make any guarantees as to their professionalism or ethical conduct.
Information security threats can be existential...
June 21st, 2011 --
It looks like Melbourne-based hosting company and ICANN-accredited domain name registrar Distribute.IT is fighting for its very survival. The company has posted this depressing notice on what's left of its Web-site. It might seem crazy, but Distribute.IT is facing nothing short of an existential crisis because, absurdly, it didn't take offline backups. As the company itself put it:
Could the US Government use LulzSec to justify a crackdown?
June 20th, 2011 --
Lulzsec has featured prominently in security discussions after their hacks of PBS, Sony, Nintendo and a raft of gaming companies in the past month. There were even more discussions when they took aim at the CIA and went on to proclaim victory. Patrick wrote an interesting piece which went viral titled: Why we secretly love LulzSec. His argument was simple: So why do we like LulzSec? "I told you so." That's why. The article clearly struck a chord with many who added cries of "hell yeah!" all over the twittersphere.
Plus lots and lots of news...
June 16th, 2011 --
In this week's feature interview we're chatting with Gartner Research Director Andrew Walls about a fascinating research paper released by Microsoft. It's called Sex, Lies and Cyber-Crime Surveys [pdf]. It basically says most cyber crime surveys are misleading.
It's time to party like it's 1999...
June 15th, 2011 --
According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers. You can read the article here. We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article.
RSA confirms SecurID tokens make nice earrings...
June 10th, 2011 --
In this week's feature interview we're chatting with Neal Wise of about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not. In this week's sponsor interview we're joined by Astaro's director of Support Alan Toews. We're talking about the silver lining to all the chaos out there at the moment -- does the awareness raised by the actions of groups like LulzSec offset the harm they cause to their victims?
Elephant in room visible. Cans open. Worms everywhere...
June 8th, 2011 --
Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold. So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others.
Why oh why is infosec software full of bugs?
June 2nd, 2011 --
On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs? A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE. It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF.
Most weaponised exploits now sold to governments, HD Moore says...
May 26th, 2011 --
On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google. The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments?