Collaboration the key to infrastructure security...
May 19th, 2009 --
Paul Twomey is ICANN's President and CEO. In this keynote address recorded on day one of AusCERT's security conference, Twomey argues collaboration is the key to ensuring the long-term security of Internet infrastructure. UPDATE: The link to the audio file was incorrect in the original post. Fixed now.
Talks and interviews will go live today...
May 19th, 2009 --
It's day two at AusCERT's annual security conference on the Gold Coast, and Risky.Biz is ready to roll with recorded talks and interviews. We'll be publishing interviews with all our Risky Business favourites including Kimberly Zenz of iDefense, Auckland University's Peter Gutmann,'s Neal Wise, Queensland Police Superintendant Brian Hay, Geekonomics author David Rice and many, many more. All recorded content will be available through the Risky Business 2 RSS feed, which can be found here.
SDL may not make sense for web applications
May 15th, 2009 --
This week's podcast is hosted by Vigabyte virtual hosting and sponsored by Tenable Network Security. Risky Business 108 takes a look at the SDL as it applies to web applications. White Hat Security's Jeremiah Grossman joins the program to argue secure code, in the case of web applications, isn't necessarily cheaper code. It sounds like heresy, but Grossman makes some pretty compelling points during his interview.
Cheap inner Sydney rents used as online fraud bait...
May 15th, 2009 --
Criminals are targeting Sydney house-hunters through Fairfax Digital's real estate website. Fraudsters are placing fake rental property listings for affordable inner Sydney apartments on the site. Upon contacting the purported landlord, would-be renters are being instructed to transfer money offshore in exchange for apartment keys that will never arrive.
New company plans aggressive expansion...
May 11th, 2009 --
Australian information security companies Stratsec and SIFT have merged. The new company employs a total of 65 people, with no staff being made redundant from either SIFT or Stratsec during the merger. The new company will retain the stratsec name and recruit 4-5 new staff immediately with a view to further expansion later this year, according to the new company's CTO and SIFT founder Nick Ellsmore.
Restructure claims senior MS security staffer... UPDATED with MS response 6pm 11/5/09
May 11th, 2009 --
Microsoft's senior security strategist, Steve Riley, has been made redundant. After more than 10 years working for Microsoft, Riley fell the victim to a restructuring program last Tuesday. "As a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended," Riley wrote on his blog. "I'm certainly not disappearing... I'll remain involved in the security industry."
New research could have consequences for future software...
May 7th, 2009 --
Thanks to our sponsor Sophos, this week's edition of the Risky Business podcast is ready to download! This week's feature interview is pretty kickass; a chat with security megalegend Mark Dowd. We talk to Mark about his entry in Google's Native Client security competition. It's very interesting stuff that could really have implications for your job in a few years.
Straight from the horse's mouth. Nyeah.
May 6th, 2009 --
It's been 24 hours since Risky.Biz published a news story about several vulnerabilities -- CSRF and XSS bugs -- found in McAfee's secure vulnerability scanning service. The story has gone global, with outlets like and The Register picking it up.
Embarrassing vulnerabilities in McAfee websites poised to make headlines...
May 5th, 2009 --
Security software maker McAfee is an industry laughing stock following the disclosure of embarrassing security vulnerabilities in its websites. A Cross Site Request Forgery (CSRF) vulnerability uncovered in McAfee's "secure" vulnerability scanning portal would have allowed attacker to take control of client accounts. The portal is designed to scan customer websites for security vulnerabilities and fulfil some PCI DSS compliance requirements.
With news that four Swedes are heading to the clink for running The Pirate Bay website, Patrick Gray looks back at 10 years of illegal file sharing...
May 4th, 2009 --
This piece was written for the Australian Broadcasting Corporation and originally ran here. In June, Internet piracy as we know it turns 10.
Centrelink released draft auth protocol hoping for torture test...
May 1st, 2009 --
Centrelink's smart card architect, Glenn Mitchell, has invited all and sundry to break its new authentication protocol, PLAID. Australia's welfare agency released the the draft implementation of PLAID last month. It created the new protocol because off-the-shelf solutions didn't match Centrelink's "business needs," Mitchell says. He now hopes crypto-geeks all over the world will rip into the software, now in its second draft. "We need to make sure it's as secure as we believe it to be," he told the Risky Business podcast. "There may be issues... if anyone does any issues with it then we're more than happy to take feedback on board and see what we can do to review it."
The Australian government hopes its new protocol will be the standard of the future...
May 1st, 2009 --
This week's edition of Risky Business is brought to you by Tenable Network Security and hosted by Vigabyte virtual hosting at discounted rates.
This is one CD you'll be carrying in your toolkit from here on in...
May 1st, 2009 --
Introducing Kon-boot, a new tool that allows users to bypass password authentication on Linux and Windows machines by altering the kernel on the fly. It's just another way to get full privileges once you have physical access, but it looks nice and simple and even supports Windows 7 for Chrissakes! It's free and you can get it here.
It's a mixed bag this week...
April 24th, 2009 --
This week's show is brought to you by Check Point Software. This week's show is a bit of a mixed bag. We chatted with 451 group analyst Paul Roberts live from the floor at the RSA conference in San Francisco. Then for something completely different we quizzed Adam Pointon about his adventures with X10 home automation equipment. Check Point Australia's Steve MacDonald is this week's sponsor guest, and Adam Boileau was this week's news guest.
The prosecution of The Pirate Bay Four in criminal courts was a waste of police resources, argues Nigel Phair.
April 21st, 2009 --
Last week a Stockholm court found four men guilty of promoting copyright infringement for running The Pirate Bay, a peer-to-peer site primarily used for illegal file-sharing, and sentenced them to a year in prison, plus a large fine. Handing down a year in the big house is a strong deterrent against those who may consider doing this type of thing in the future, but is it really the best judicial outcome? The Swedish cops raided The Pirate Bay a couple of years ago and seized servers, but even this action didn't shut the site down. The investigation was well handled, but surely police resources should be dedicated to more serious crimes.
Verizon Business gives us a sneak peek into its 2008 data breach investigations...
April 16th, 2009 --
This week's podcast is brought to you by Microsoft and hosted, as always, by Vigabyte virtual hosting. On this week's show we hear from Bryan Sartin of Verizon Business Security Solutions. He'll be discussing that company's 2009 Data Breach Study. Verizon has a well-established forensics unit and its reports are interesting. This study is to the infosec industry what black box reports are to the aviation industry; a post mortem examination of what went wrong.
Breaches, dataloss up in 2008, report claims...
April 16th, 2009 --
Verizon Business Security Solutions has released its 2009 Data Breach Study. The report is essential reading; the post-mortem analysis of data breaches is to the information security industry what black-box flight recorder information is to the aviation industry. By understanding where things have gone wrong, we can avoid repeating the mistakes of some of our peers. A phone interview with the company's director of investigative response, Bryan Sartin, has been recorded and will be included in Risky Business #104, which is due to be published in the next 24 hours. In the mean time, the 52-page report can be found in pdf form here. It's a must read for anyone working in enterprise security.
The limited scope afforded to your security staff and contractors could harm your business, writes Metlstorm...
April 14th, 2009 --
Building security testing into your project lifecycle is one of those critical growing-up points for a business. All enterprises must eventually accept that security is just one more part of software or system development lifecycle. Both designs and implementations must be reviewed, developers need security training and infosec teams need the power to veto go-live dates. Lots of businesses have arrived at this point. But what often happens as a result is security gets siloed per project. The project scope determines where security people will see, where there is budget, and critically, where the incentive to fix the problems lies. This means that the way that project siloes interact -- the reefs between scope islands -- are never in scope. And as we all know, scope is for project managers, auditors and security consultants. Hackers don't care about your scope. Let's look at how scoping can create some pretty peverse outcomes.
New rules to force log retention have unexpected effects, writes Nigel Phair...
April 14th, 2009 --
In February 2009, Sen. John Cornyn and Rep. Lamar Smith, both Texas Republicans (yee-haw), announced proposed legislation titled the Internet SAFETY Act, designed to combat cyber-predators and online child exploitation. Under this Act, lawmakers are seeking to impose requirements on ISPs and wireless network operators to keep records about the identities of their users. Under the law, network operators would have to retain the network addresses assigned to any users for a minimum of two years, information which law enforcement could use to track down criminals. But the broad language of the Bill, which would apply to any "provider of an electronic communication service," could mean that coffee shops, airport lounges and even individual households would be required to keep detailed logs, and that just isn't going to happen.
CISSP for everyone! Yay!!
April 9th, 2009 --
This week's show is sponsored by Sophos, and hosted, as always, by Vigabyte Virtual Hosting. In this week's feature interview we'll be hearing from former Network Solutions CSO Richard Forno. He's joining us to discuss a proposed bill in the USA that would require all information security professionals working on government systems to hold some sort of certification. It's an interesting idea, but Forno hates it.