Mmmmmm.... nerdtastic....
March 4th, 2011 --
On this week's show Peter Gutmann drops by to talk about Solid State Drives (SSDs) and digital forensics. Depending on which report you saw over the last week you may have read that it's impossible to reliably delete data from an SSD, or that SSDs are a forensic nightmare because they DO delete so much data. Well it turns out both statements are correct, and Peter "Gutmann Method" Gutmann joins us to explain how.
KLP chats about his book, Wikileaks and more...
February 23rd, 2011 --
On this week's show we're having a chat with the editor of's Threat Level blog, Kevin Poulsen. He joins us to discuss his new book, Kingpin, which is out this week in the US and on March 1st is Australia. Kingpin tells the story of Max Ray Vision, a hacker who started off as a typical carder but came to control virtually the entire online credit card fraud scene in the English speaking world. How? By owning rival forums, merging their users into his site and then torching the competition. It was pretty effective.
Publication of stolen information, not just leaks, seems inevitable...
February 22nd, 2011 --
Earlier today I had a very interesting chat with veteran information security journalist Kevin Poulsen about his new book Kingpin. Kingpin is a ripper read and the full interview should be up some time tomorrow with this week's podcast. But it was Kevin's comments around Wikileaks that I found particularly interesting.
Endgame Systems caught up in HBGary Federal leak...
February 21st, 2011 --
One interesting little organisation to come to the attention of the information security industry since HBGary Federal got popped is a US-based company named Endgame Systems. It's a slightly shadowy information security company based in the US that appears to offer its services almost exclusively to the US military and intelligence apparatus. It was founded in 2008 by a bunch of senior ex-ISS execs and founders like Chris Rouland and Thomas Noonan.
Jericho of shares his thoughts on LIGATT Security...
February 17th, 2011 --
This week's edition of Risky Business is brought to you by NetWitness! On this week's show we look at the history of LIGATT Security and its chief executive Gregory D Evans. He says he's the "world's number one hacker" and racked up multiple appearances on CNN, Bloomberg, Fox News and other respected outlets. But that hasn't stopped others from labelling Evans a charlatan.
Didier Stephens on his "These aren't the droids you're looking for" technique...
February 11th, 2011 --
This week's feature interview is a chat with Didier Stephens about his work in bypassing Windows-based whitelists. You can read about Didier's work here and here.
Discover the horror of the Android patch process...
February 4th, 2011 --
This week's edition of the show is brought to you by Tenable Network Security. We'll hear from Tenable's Paul Asadorian in this week's sponsor interview. In this week's feature interview we're chatting with Immunity Inc's Bas Alberts about the security of Google's Android mobile operating system. As it turns out, Android's patching model is pretty awful.
RB reviews 2010, the year that was...
December 10th, 2010 --
This is the last Risky Business podcast for 2010, and it's a cracker! In it we take a look at three things that shaped the information security news agenda in 2010 -- Stuxnet, Wikileaks and the resulting militarisation of the Internet. We also look back on a year of UNIX-beard-guy news with Adam Boileau. We hope you enjoy this special edition -- we'll be back in February 2011!
How your versioning system could be leaking source...
December 3rd, 2010 --
On this week's show we're taking a look at a nifty little presentation by Mark Piper delivered to the recent Kiwicon conference. Pipes is a pentester, and he's figured that around 4% of websites, globally, leak source code because they're allowing metadata from their code versioning and revision control systems to wind up on their production boxes. Sometimes that means you can obtain source code when you're doing a black box pentest, or even if you're trying to pwn Facebook or Twitter on your own time.
Stephen Glass of OP25 summarises the project's research...
November 25th, 2010 --
On this week's show we're joined by Stephen Glass of the OP25 project. P25, also known as Project 25 or APCO 25, is a wireless protocol used by federal, state and local agencies all over the world. It's what drives police and fire service radios, for example. Perhaps not surprisingly there are some problems with the way p25 handles encryption. It relies on the antiquated DES standard and the key is relatively easy to brute force, for example
Stratsec gobbled up by the military industrial complex...
November 25th, 2010 --
Australia's largest independent information security consultancy, Stratsec, will be acquired by British defence contractor and arms manufacturer BAE Systems. The company operates defence-accredited facilities here in Australia, runs common criteria certification labs and employs around 60 consultants nationwide. Risky.Biz understands the announcement of the sale is imminent.
Silvio Cesare joins the show to preview his Ruxcon talk...
November 19th, 2010 --
Silvio Cesare has been on the Australian information security for yonks. He's a talented vulnerability researcher, worked as a scanner architect for Qualys back in 2002, and has generally been kicking around being a smart guy for a long time. These days he's doing a PhD in control flow graph-based malware classification and analysis. In short it's a static-analysis based approach to malware analysis, as opposed to the traditional approach of examining byte-level content. It has real potential to improve antivirus software and Silvio joins us to discuss his work.
NSA veteran and Risky Business favourite joins the show...
November 12th, 2010 --
Brian Snow worked for the USA's National Security Agency from 1971 until a few years ago. By the time he retired from the agency he had risen through the ranks to the position of technical director, information assurance. He's also one of Risky Business listeners' favourite guests. This week's show features an in depth conversation with Brian about all sorts of recent trends in the information security area -- Stuxnet, technical debt, surveillance news and more. It's a cracker interview.
Are the banks stooging us all?
November 4th, 2010 --
Today's podcast is a special edition -- I'm basically on holidays and travelling for work for the next three weeks so there will be no news section for a little bit, but don't worry, we'll be back to regular programming in three weeks. But until then we've got some killer interviews for you. This week you'll hear from InQTel CSO Dan Geer and McAfee CTO George Kurtz.
How a pointy-clicky tool can lead to real change...
October 28th, 2010 --
Firesheep is a Firefox plugin that automates the hijacking of http sessions over unsecured wifi access points. While sites like Facebook, Twitter and so on use https to protect login credentials, after successful authentication nine times out of ten you drop back to a http session. That means, of course, that your session cookie is flying around in plain text and your authenticated session is easily hijacked. But session hijacking has always been a wee bit fiddly... until now.
Famed database hacker will release forensics tool...
October 21st, 2010 --
In this week's feature interview we're catching up with David Litchfield. David is a renowned database hacker and a founder of NGS Software, which was acquired by NCC group in 2008. He left NGS back in Feburary this year. Since then he's written a database forensics tool for Oracle DBs, v3rity. David joins the show to tell us all about it.
All your create process calls are belong to big chief...
October 15th, 2010 --
In this week's show we're taking a look at a new technology from Immunity Inc. It's called El Jefe and it's actually pretty interesting. Instead of monitoring network traffic, El Jefe keeps an eye on processes running on all your machines. It's a pretty interesting intrusion detection strategy and I think it's got legs. Justin Seitz of Immunity joins the show to tell us all about it.
Critical infrastructure critically insecure... blame the squirrels!!
October 8th, 2010 --
On this week's show have a chat about critical infrastructure. The Auditor General in the state of Victoria has released a 56 page report into an investigation is conducted into the security of transport and water-infrastructure control systems.
Government report is hardly glowing...
October 7th, 2010 --
The Victorian Auditor General has wrapped up its investigation into SCADA security in the transport and water sectors down south. It found major problems that will surprise absolutely no one. In short, four out of five of the installations examined were nightmarishly insecure. It also found a real lack of awareness among the operators of critical infrastructure that they even have a problem.
Plus Alastair MacGibbon discusses USA wiretap proposal...
October 1st, 2010 --
NOTE: The original post accidentally linked through to episode 169 -- fixed now! In this week's feature interview we'll be taking a look at a proposed bill in the USA that would see all software companies having to build a lawful interception capability into their products. Basically the feds in the USA would like to be able to tap Skype, Blackberrys, OTR instant messenger and so on.