Brian Snow joins the show to smacktalk risk-based security...
April 15th, 2011 --
This week's show is a doozie! We're joined by Brian Snow to discuss risk-based security. Brian, who was the technical director of information assurance for the NSA in the US, recently contributed to a security review of US Department of Energy Nuclear Weapons Facilities. (You can download the unclassified version of the report here for free with registration.) The review sought to understand if Probabilistic Risk Assessment (PRA) methodologies could be used to improve the cost effectiveness of the DoE's security.
Winners in Australia's technology media awards announced...
April 11th, 2011 --
Risky Business has been judged Australia's Best Technology Audio Program for a second year in a row. The Lizzies, Australia's awards for technology journalism, are run by media services company MediaConnect, with each gong judged by a panel of three technology journalists. Risky.Biz edged out entries from Sydney-based radio station 2GB, CNet/ZDNet and others. Big thanks to the listeners, sponsors, guests and everyone who's helped out since the podcast launched back in early 2007.
All about
April 8th, 2011 --
Episode 190 of the Risky Business podcast is brought to you by our good buddies at Astaro. Astaro's Jack Daniel joins us in this week's sponsor interview to talk about the evolution of firewalls. We try to predict what they're going to look like, five or ten years out. No surprises for guessing convergence is going to be a big thing. In this week's feature interview we chat with Kowsik Guruswamy of muDynamics about a project his company kicked off called
MySQL next on the pwnz0riz3d list...
March 31st, 2011 --
This week's show is brought to you by NetWitness. The minting of some dodgy SSL certificates has the whole security world in a bit of a tizz, but this week's feature guest thinks much of the resulting media coverage is missing the point. Why are browsers designed to make Boolean trust decisions? Why do they completely trust CA issued certs? Peter Gutmann of the University of Auckland joins me to discuss. Adam Boileau pops in for the week's news, as always.
Attacks undermine confidence in RSA, Comodo...
March 25th, 2011 --
On this week's show we're mostly focussing on news! It's been a massive week in news -- we've had AT&T users' Facebook data being re-routed through China, we've had more speculation on the RSA hack, Comodo has been busted dishing out trusted SSL certificates for to a box in Iran, there's a stack of SCADA 0day being dropped, there's people going to prison, giant rats eating entire data centres.... ok, well I made the last bit up, but the rest of it, if you can believe it, is true!
Plus much, much more...
March 18th, 2011 --
It's episode 187, the homicide edition, and RSA conveniently falls victim to a drive by. Thanks guys! This week's show is a ripper. We've got two feature guests -- Kimberly Zenz of iDefense and Paul Ducklin of Sophos. We talk about everything from recent disinformation and social media manipulation campaigns in the Middle East and Belarus, the breach of RSA by parties unknown wielding those mysterious "APTs". Allegedly.
More LIGATT shenanigans...
March 16th, 2011 --
Well it's official. I've made it: Gregory D Evans has ripped off my work! Risky.Biz's pal Jericho from recently drew my attention to a book published by Evans and LIGATT Publishing called "Hi-Tech Hustler Scrapbook". From what I can tell, it's just a collection of news and feature articles written by other people. Three of my articles from years ago made it into Evans' "scrapbook": "Cyber Terrorism 'Merely a Theory'," November 11, 2003, ZDNet Australia "Beware the Crime Lords of the Internet," May 31, 2005, The Age
Is chip and PIN really broken?
March 11th, 2011 --
This week's show is jam-packed! We'll be chatting with Andrea Barisani about a presentation he did with Daniele Bianco at CanSecWest this week. They're both from Inversepath, and the title of their talk was "Chip and PIN is definitely broken". Is it? Find out after the news. Also this week we chat with CSO Adam Pointon. What can you do when your executives want to use their iPad or other mobile device on your network? Is it possible to create a security policy for consumer devices on your network? Well, yeah, it is, as it turns out.
Mmmmmm.... nerdtastic....
March 4th, 2011 --
On this week's show Peter Gutmann drops by to talk about Solid State Drives (SSDs) and digital forensics. Depending on which report you saw over the last week you may have read that it's impossible to reliably delete data from an SSD, or that SSDs are a forensic nightmare because they DO delete so much data. Well it turns out both statements are correct, and Peter "Gutmann Method" Gutmann joins us to explain how.
KLP chats about his book, Wikileaks and more...
February 23rd, 2011 --
On this week's show we're having a chat with the editor of's Threat Level blog, Kevin Poulsen. He joins us to discuss his new book, Kingpin, which is out this week in the US and on March 1st is Australia. Kingpin tells the story of Max Ray Vision, a hacker who started off as a typical carder but came to control virtually the entire online credit card fraud scene in the English speaking world. How? By owning rival forums, merging their users into his site and then torching the competition. It was pretty effective.
Publication of stolen information, not just leaks, seems inevitable...
February 22nd, 2011 --
Earlier today I had a very interesting chat with veteran information security journalist Kevin Poulsen about his new book Kingpin. Kingpin is a ripper read and the full interview should be up some time tomorrow with this week's podcast. But it was Kevin's comments around Wikileaks that I found particularly interesting.
Endgame Systems caught up in HBGary Federal leak...
February 21st, 2011 --
One interesting little organisation to come to the attention of the information security industry since HBGary Federal got popped is a US-based company named Endgame Systems. It's a slightly shadowy information security company based in the US that appears to offer its services almost exclusively to the US military and intelligence apparatus. It was founded in 2008 by a bunch of senior ex-ISS execs and founders like Chris Rouland and Thomas Noonan.
Jericho of shares his thoughts on LIGATT Security...
February 17th, 2011 --
This week's edition of Risky Business is brought to you by NetWitness! On this week's show we look at the history of LIGATT Security and its chief executive Gregory D Evans. He says he's the "world's number one hacker" and racked up multiple appearances on CNN, Bloomberg, Fox News and other respected outlets. But that hasn't stopped others from labelling Evans a charlatan.
Didier Stephens on his "These aren't the droids you're looking for" technique...
February 11th, 2011 --
This week's feature interview is a chat with Didier Stephens about his work in bypassing Windows-based whitelists. You can read about Didier's work here and here.
Discover the horror of the Android patch process...
February 4th, 2011 --
This week's edition of the show is brought to you by Tenable Network Security. We'll hear from Tenable's Paul Asadorian in this week's sponsor interview. In this week's feature interview we're chatting with Immunity Inc's Bas Alberts about the security of Google's Android mobile operating system. As it turns out, Android's patching model is pretty awful.
RB reviews 2010, the year that was...
December 10th, 2010 --
This is the last Risky Business podcast for 2010, and it's a cracker! In it we take a look at three things that shaped the information security news agenda in 2010 -- Stuxnet, Wikileaks and the resulting militarisation of the Internet. We also look back on a year of UNIX-beard-guy news with Adam Boileau. We hope you enjoy this special edition -- we'll be back in February 2011!
How your versioning system could be leaking source...
December 3rd, 2010 --
On this week's show we're taking a look at a nifty little presentation by Mark Piper delivered to the recent Kiwicon conference. Pipes is a pentester, and he's figured that around 4% of websites, globally, leak source code because they're allowing metadata from their code versioning and revision control systems to wind up on their production boxes. Sometimes that means you can obtain source code when you're doing a black box pentest, or even if you're trying to pwn Facebook or Twitter on your own time.
Stephen Glass of OP25 summarises the project's research...
November 25th, 2010 --
On this week's show we're joined by Stephen Glass of the OP25 project. P25, also known as Project 25 or APCO 25, is a wireless protocol used by federal, state and local agencies all over the world. It's what drives police and fire service radios, for example. Perhaps not surprisingly there are some problems with the way p25 handles encryption. It relies on the antiquated DES standard and the key is relatively easy to brute force, for example
Stratsec gobbled up by the military industrial complex...
November 25th, 2010 --
Australia's largest independent information security consultancy, Stratsec, will be acquired by British defence contractor and arms manufacturer BAE Systems. The company operates defence-accredited facilities here in Australia, runs common criteria certification labs and employs around 60 consultants nationwide. Risky.Biz understands the announcement of the sale is imminent.
Silvio Cesare joins the show to preview his Ruxcon talk...
November 19th, 2010 --
Silvio Cesare has been on the Australian information security for yonks. He's a talented vulnerability researcher, worked as a scanner architect for Qualys back in 2002, and has generally been kicking around being a smart guy for a long time. These days he's doing a PhD in control flow graph-based malware classification and analysis. In short it's a static-analysis based approach to malware analysis, as opposed to the traditional approach of examining byte-level content. It has real potential to improve antivirus software and Silvio joins us to discuss his work.