It's all very cypherpunk, innit?
July 8th, 2011 --
This week's edition of the show is brought to you by Tenable Network Security, thanks guys. In this episode we're taking an in depth look at BitCoins. Most listeners would have heard of the fledgling online currency by now, but there are a number of things that make BitCoins extremely interesting. It's the world's first popular virtual, cryptographically supported commodity, and once you wrap your head around it, it's very cool stuff, regardless of whether or not you think it has a future. I'll be joined by regular guest Paul Ducklin to talk about BitCoin, after the news.
Bulletins prematurely released on evening of July 4, USA time...
July 5th, 2011 --
AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today. The accidental disclosure comes as the United States celebrates the evening of July 4, its independence day. The bulletin was supposed to be issued on the morning of July 6, US time. Instead, it was mailed to AusCERT's subscribers a short time ago.
Yoda says: Leave your database online you should not. Hmmmmmmm?
June 30th, 2011 --
Episode 200 FTW! In this week's feature interview we'll be chatting with Daniel Grzelak. Dan's the founder of shouldichangemypassword.com -- and interesting little website that pulls together compromised information and lets you see if you've been affected. Dan was searching Google for .sql files that had inadvertently been made accessible online and indexed... aaaaand he found the entire database for Groupon India including plaintext passwords FOR THE LOSE!!! He'll be telling us all about that after the news.
Dude where's my .sql?
June 28th, 2011 --
The entire user database of Groupon's Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google. The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail".
A chat with Jason Scott of Textfiles.com...
June 23rd, 2011 --
Put on your Hypercolor t-shirts and Swatch watches, because this week's show features an interview with Jason Scott, the founder of Textfiles.com. If you don't remember the BBS scene in the late 80s or early nineties, well, that doesn't matter; Jason has archived all of the quirky stuff that made the BBS scene what it was back then. [ED NOTE: CONTAINS EXPLICIT LANGUAGE (MISSED SOME EDITS)]
Documentary producers seeking sources to discuss early 90's Melbourne scene...
June 22nd, 2011 --
A documentary crew are looking to interview people who remember the Melbourne BBS and hacking scene in the late 1980s, early 1990s. They're coming to Melbourne in a few weeks to film. I've seen one of their documentaries before: Enron: The Smartest Guys in the Room, and it was pretty good. I've had a chat with the producers and it seems unlikely to me that the docco will be a hatchet job. That said, I don't know these guys from a bar of soap, I can't make any guarantees as to their professionalism or ethical conduct.
Information security threats can be existential...
June 21st, 2011 --
It looks like Melbourne-based hosting company and ICANN-accredited domain name registrar Distribute.IT is fighting for its very survival. The company has posted this depressing notice on what's left of its Web-site. It might seem crazy, but Distribute.IT is facing nothing short of an existential crisis because, absurdly, it didn't take offline backups. As the company itself put it:
Could the US Government use LulzSec to justify a crackdown?
June 20th, 2011 --
Lulzsec has featured prominently in security discussions after their hacks of PBS, Sony, Nintendo and a raft of gaming companies in the past month. There were even more discussions when they took aim at the CIA and went on to proclaim victory. Patrick wrote an interesting piece which went viral titled: Why we secretly love LulzSec. His argument was simple: So why do we like LulzSec? "I told you so." That's why. The article clearly struck a chord with many who added cries of "hell yeah!" all over the twittersphere.
Plus lots and lots of news...
June 16th, 2011 --
In this week's feature interview we're chatting with Gartner Research Director Andrew Walls about a fascinating research paper released by Microsoft. It's called Sex, Lies and Cyber-Crime Surveys [pdf]. It basically says most cyber crime surveys are misleading.
It's time to party like it's 1999...
June 15th, 2011 --
According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers. You can read the article here. We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article.
RSA confirms SecurID tokens make nice earrings...
June 10th, 2011 --
In this week's feature interview we're chatting with Neal Wise of Assurance.com.au about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not. In this week's sponsor interview we're joined by Astaro's director of Support Alan Toews. We're talking about the silver lining to all the chaos out there at the moment -- does the awareness raised by the actions of groups like LulzSec offset the harm they cause to their victims?
Elephant in room visible. Cans open. Worms everywhere...
June 8th, 2011 --
Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold. So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others.
Why oh why is infosec software full of bugs?
June 2nd, 2011 --
On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs? A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE. It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF.
Most weaponised exploits now sold to governments, HD Moore says...
May 26th, 2011 --
On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google. The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments?
Day three keynote from the AusCERT conference... good stuff...
May 24th, 2011 --
This is a full presentation by AusCERT's day three keynote speaker Ross Anderson. Ross has kindly allowed us to podcast his entire talk. Ross is professor of security engineering at Cambridge University, and author of the bestselling textbook "Security Engineering: A Guide to Building Dependable Distributed Systems". He was a pioneer of peer-to-peer systems, of hardware tamper-resistance, and of the economics of information security.
Many impact scores exist. How does Microsoft figure out its ratings?
May 24th, 2011 --
Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. We've already posted two interviews with Microsoft peeps about security issues, but we're posting this full talk as well. Maarten Van Horenbeeck works in the Microsoft Security Response Center managing Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams.
Shameless self promotion begins below...
May 23rd, 2011 --
Tony Oliver and the Pubcast crew interviewed me about the talk I did at ITWeb's Security Summit in South Africa the other week. My talk was all about militarisation trends in the digital security field. I drew parallels between the Cold War and what's happening now. You can find it here. Thanks to Tony and the rest of his gang for having me on their show. It's good to be on the other end of an interview every now and then!
It turns out routing tables lie more than politicians...
May 20th, 2011 --
This podcast is a complete presentation by APNIC's Geoff Huston. According to the official synopsis: This presentation will outline the role of addresses and routing and the potential attack vectors, and will also report on the progress to establish a secure framework for addresses and their use in the Internet, highlighting the progress in establishing a secure routing environment for the Internet. As regular RB listeners would know, we've followed APNIC's work and papers in this area and they have a habit of pushing out good stuff... so this should be a decent talk. Enjoy!
AusCERT's speed debates back in 2011!
May 20th, 2011 --
You're about to hear one of the highlights of AusCERT's annual conference -- the speed debates! Not to be taken too seriously, the speed debate happens at the end of the con -- it's a chance to have a laugh and shed some lighter perspectives on the security discipline. It's hosted by Australian broadcaster and journalist Adam Spencer. I hope you enjoy it.
PSN breach keeps enterprise customers up at night...
May 20th, 2011 --
Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. They're general chats with Microsoft peeps about security issues. And in this interview we're chatting with Microsoft Australia's Chief Security Advisor Stuart Strathdee about the affect the PSN network breach has had on large organisations' security outlook. As you'll hear, Stuart says a lot of security projects that had been on the back burner are now being brought forward. Enjoy!