Plus details on the latest SSL/TLS bug, 'droid bugs and more!
September 23rd, 2011 --
This week's feature guest is the head honcho of the Beef Project, NGS Secure's Wade Alcorn. Wade joins the program to talk about the SSL/TLS flaw that Juliano Rizzo and Thai Duong plan to demonstrate at the Ekoparty security conference. They've found some really nice flaws in TLS 1.0 that mean you can, under some circumstances, when six planets align in the June dawn, extract session cookies from SSL connections. It's not a bug that marks the end of the world, but it's just a really interesting one so Wade will be along to discuss it.
Misleading the public for fun and profit...
September 21st, 2011 --
Over the last couple of weeks you may have spotted some news stories floating about claiming cybercrime costs society US$388bn annually, with Australia alone suffering A$4.6bn in yearly losses. If the numbers are to be believed, these reports say, that means cybercrime costs us nearly as much as the global trade in illicit drugs. It's a sensational claim and makes an awesome headline, but any way you slice or dice the numbers they just simply don't stack up.
Ain't no one gonna stop this crazy old infosec bus...
September 16th, 2011 --
On this week's show we chat with Ruxcon organiser and vulnerability researcher Chris Spencer. Chris pops by to offer a five percent discount on Ruxcon training to Risky Business listeners, and we also have a quick chat to him about trends in the vulnerability research game. Chris was popping shells and publishing exploits since the nineties, so he's seen a few things change!
Live from the "wanker chillout area"...
September 15th, 2011 --
The following is a recording of a panel discussion about Wikileaks that took place at the Splendour in the Grass music festival in Woodford, QLD, Friday, 29 July 2011. Moderating the panel is The Chaser's Julian Morrow. On the panel: * Nicholas Hayden, Hungry Beast, ABC TV * Marc Fennell, Hungry Beast, ABC TV * Grace Morgan, Julian Assange's Australia-based solicitor * Suelette Dreyfus, Author, Underground * Patrick Gray, Host of the Risky Business podcast * Christine Assange, Julian Assange's mother The recording is unedited. Enjoy!
Someone has their sights set on Australian users...
September 14th, 2011 --
It seems the bad guys are targeting Australian Internet users this week. I got a few of these this morning, as did a couple of Risky.Biz listeners: From: Date: 14 September 2011 10:05:53 AM AEST To: Subject: Attention for the ABN owners x-original-to: REDACTED x-mailer: azzgnshjz.46 Australian Taxation Office together with Australian Business Register wants to inform you that starting from January, 1 2012 new rules of use of ABN number are being introduced. The changes will concern: - GST credits;
Man, those CAs sure to know how to screw things up, huh?
September 9th, 2011 --
On this week's show we take a look at the security of browser JIT engines with two extremely smart guys: Chris Rohlf and Yan Ivnitskiy of Matasano Security. They presented a paper in Vegas all about attacking clientside JIT compilers. It's good, old-fashioned security research -- the type of research that's increasingly being withheld from the public these days. What is a JIT compiler? How does it work? Do they present inherent security problems? Tune in to find out!
Risky Business gets all political and stuff...
September 2nd, 2011 --
What a week in information security! Between getting owned, the Iranian Government apparently hacking a Dutch CA to mint around 250 valid certs for stuff like * and Wikileaks experiencing a spectacular opsec fail, there's plenty to talk about in this week's news segment with Adam Boileau.
Secret squirrel Diocyde joins the show to discuss attribution and Chinese cyber-espionage...
August 26th, 2011 --
This week's feature interview is with anonymous infosec blogger Diocyde. He has access to some fairly sensitive shit, so we can't tell you his name and we've had to disguise his voice. Diocyde is best known as the author of the Veiled Shadows blog.
Microsoft defends its prize for defensive security research...
August 19th, 2011 --
You may have heard about Microsoft's Blue Hat Prize for defensive security research. The company is running a contest for the best memory corruption bug mitigation technology. So, if you reckon you've found the next DEP or ASLR, you could be eligible for the company's $200,000 first prize. It marks a departure from bug bounties -- this is a contest that rewards defensive research, not just new attacks.
Massive APT-related dump matches leaked HBGary analysis...
August 18th, 2011 --
A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal. The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.
Is IOS 4.x enterprise ready? Well, maybe...
August 12th, 2011 --
In this week's feature interview we're chatting with Dino A Dai Zovi about Mac security -- Dino's well known as a Mac hacker and he's just done a BlackHat talk in which he evaluated Apple's IOS 4.x operating system for enterprise suitability. How did it stack up? Find out after the news! Also this week we check in with Sophos Network Security director of support Alan Toews about Moxie Marlinspike's latest work, an alternative way of doing SSL certificates that completely does away with CAs. That's this week's sponsor interview. Adam Boileau, of course, joins us for this week's news.
How a McAfee "research paper" turned into a media circus...
August 5th, 2011 --
On this week's show we're taking a look at the most devastating state sponsored planet melting, child eating APT the world has ever seen... according to Gizmodo it's the BIGGEST CYBER ATTACK IN HISTORY. Ummm... actually no, it's a fairly unsophisticated botnet comprising of 70 targeted infections.
Authorities scoop up Topiary, "Evil"...
July 28th, 2011 --
This week we're chatting with Detective Superintendent Brad Marden of the Australian Federal Police. While the FBI are out locking up Low Orbit Ion Cannon users on no-bail warrants, Mr. Marden and his team, apparently, are out doing real, actual police work to catch real, alleged criminals. How refreshing! Listeners to this program would have heard of the case of Distribute.IT -- an Australian domain name registrar and hosting company that got majorly worked by a hacker calling himself "Evil from efnet".
LulzSec makes a spectacular return. PLUS Silvio Cesare talks academia.
July 22nd, 2011 --
In this week's feature interview we're chatting with Silvio Cesare. Silvio's an extremely well regarded infosec guy down here in Oz. He'll be chatting to us about his experience in academia. Silvio argues much criticism of academia in industry largely misses the point, and academia actually serves infosec quite well. Cryptography anyone?
Are authorities misleading us or are they actually this stupid?
July 20th, 2011 --
As many readers would no doubt already be aware, the FBI has just arrested 16 "members" of Anonymous in relation to DDoS attacks and intrusions. The US Department of Justice swiftly issued a press release with the catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED STATES FOR ALLEGED ROLES IN CYBER ATTACKS". So this is a massive blow to "Anonymous" and its sophisticated campaign of mayhem, right? Wrong.
Did you hear the one about Sony's CAPTCHA?
July 15th, 2011 --
This week's show is all about the news -- a 30 minute dose of Metl! With Anons being arrested, parties unknown pwning defence contractors in the name of #antisec, Sony doing (even more) dumb stuff, Zeus-grade viruses smashing Android devices, India trying to wiretap Skype, support for XP running out in less than three years, Microsoft Security Centre dishing out porn and Morgan Stanley losing customer info on unencrypted disks, we just didn't have time for a feature interview this week!
It's all very cypherpunk, innit?
July 8th, 2011 --
This week's edition of the show is brought to you by Tenable Network Security, thanks guys. In this episode we're taking an in depth look at BitCoins. Most listeners would have heard of the fledgling online currency by now, but there are a number of things that make BitCoins extremely interesting. It's the world's first popular virtual, cryptographically supported commodity, and once you wrap your head around it, it's very cool stuff, regardless of whether or not you think it has a future. I'll be joined by regular guest Paul Ducklin to talk about BitCoin, after the news.
Bulletins prematurely released on evening of July 4, USA time...
July 5th, 2011 --
AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today. The accidental disclosure comes as the United States celebrates the evening of July 4, its independence day. The bulletin was supposed to be issued on the morning of July 6, US time. Instead, it was mailed to AusCERT's subscribers a short time ago.
Yoda says: Leave your database online you should not. Hmmmmmmm?
June 30th, 2011 --
Episode 200 FTW! In this week's feature interview we'll be chatting with Daniel Grzelak. Dan's the founder of -- and interesting little website that pulls together compromised information and lets you see if you've been affected. Dan was searching Google for .sql files that had inadvertently been made accessible online and indexed... aaaaand he found the entire database for Groupon India including plaintext passwords FOR THE LOSE!!! He'll be telling us all about that after the news.
Dude where's my .sql?
June 28th, 2011 --
The entire user database of Groupon's Indian subsidiary was accidentally published to the Internet and indexed by Google. The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail".