Podcasts

You're about to hear a full presentation recorded at the AusCERT conference. Scott McIntyre is a recent immigrant to Australia... he used to work for XS4all in the Netherlands, but these days he works as the Senior Technology Architecture Specialist in Security Operations for Telstra in Melbourne. His presentation is all about his views though, not those of Telstra. Disclaimer. Etc.

His talk focuses on what he calls the IT Security Generation Gap. Too often are today's security policies written and enforced by people who don't "get" social media, the public Internet, iPads and BitTorrent. But at the same time, anyone with an infrastructure to secure needs workable procedures and tooling to protect their data and systems. His talk covers common failings in this generation gap and provides guiding principles to close the gap and reduce exposure.

You're about to hear a full presentation recorded at the AusCERT conference: a great presentation by Mark Newton, an engineer with Internode, all about IPv6 security.

Internode is an ISP and Mark really knows his stuff. We all know security considerations in IPv6 aren't exactly thrilling, but Mark managed to actually make this presentation interesting and a little bit thought provoking. I was popping in and out throughout this session and yeah, it was definitely more interesting than I was expecting. So here it is!

Our coverage of the conference is brought to you by the fine folks at Microsoft -- without their support, there would be no AusCERT podcasts, so big thanks to MS!

As a part of that sponsorship Risky Business is posting a few sponsored podcasts -- this is one of them, an interview with Microsoft's Identity specialist Paul Conroy. In it, we discuss what enterprise customers out there are actually looking for, as well as having a bit of a chat about SAML 2.0 -- an authentication protocol that you can use... and I can't believe I'm going to say this. In the... cloud. I said cloud. I'm sorry. But listen to the interview, it'll make sense.

This podcast is an AusCERT talk by Ian Appleby. He's the Information Security Manager at Endeavour Energy and he's responsible for the security of its Corporate and SCADA Systems.

The talk is on Risk Management in a Smart Metering Environment.

In this interview we hear from Tim Hudson, an independent cryptography dude, who, as you'll hear, may or may not have worked on Queensland's Smart Card drivers license project. Absurdly, on legal advice, he can't actually tell us if he worked on that project.

There were mutterings in the Queensland state parliament some time ago about a project consultant criticising the rollout... the minister responsible also said something about the department exploring legal options to shut said critic up. Geez, I wonder if it was Tim?

Tim did a presentation here at AusCERT earlier today... I asked him to tell me what he spoke about.

You're about to hear a presentation by Jason Larsen, a security researcher at the Idaho National Laboratory. The INL is run by the US Department of Energy and is home to the National SCADA Testbed (NSTB) and the Industrial Control System CERT(ICS-CERT).

I'm going to read from his talk synopsis here: The first half of Jason's presentation will be an overview and update on what's happening in control. In most cases, simply sending properly formatted commands to the field equipment is enough, but there are cases when this does not achieve the attacker's goals. If the field equipment contains sanity checks, the attacker needs sub-second control, or if he simply wants to hide, he will invade the field equipment. Understanding the challenges the attacker faces are essential for any sort of investigative or forensics effort. The second part of the presentation will cover attack and forensics of the embedded systems used in industrial control systems.

We were a couple of minutes late plugging into the desk, so we'll pick up Jason's talk just a few minutes in.

You're about to hear an excerpt from the opening keynote from the AusCERT conference by comedian Bennett Arron.

Several years ago Bennett Arron was in serious debt. He owed thousands of pounds to mobile phone companies, catalogues and department stores. But it wasn't him! As it turned out, he was a victim of Identity Theft.

Years later, he wound up writing a comedy show about his experience... he eventually directed and presented a Documentary for Channel 4 called How To Steal An Identity.

In it he actually stole the identity of the then Home Secretary, Charles Clarke.

He was arrested over it, but you'll be pleased to know he was never convicted.

Anyway, Bennett was kind enough to allow Risky Business to play an excerpt from his talk. The whole thing is about an hour long and very entertaining... so obviously you should book him for your next exotically-located conference and or event. Big thanks to Bennett for allowing us to play this chunk of his talk.

In this interview we're chatting with Wade Alcorn. By day he's NGS Security's general manager for Asia Pacific, but by night he's out there maintaining BeEF -- the browser exploitation framework.

If you haven't heard of beef it's a very cool tool. If you can get someone to load it into your browser, either by them visiting a site you control directly, or alternatively through some sort of cross site scripting bug, then you can get the browser to do all sorts of stuff for you -- like portscan the victim's LAN, attack JBOss servers and stuff like that.

I caught up with Wade and asked him to tell us all about BeEF and what's the latest. With beef. Here's the beef.

This week's show was cut together from Johannesburg, South Africa!

In it we discuss Google's latest bug bounty initiative -- they're not just offering cash for bugs in software products, these days they're also offering cash for bugs in their online properties. Got an auth bypass for Gmail? Ka-ching!

This week's show is brought to you by Astaro. Jack Daniel of Astaro joins us to talk about restricting certain content types from SOEs. Do we really need Flash in our operating environments anymore? Can we just drop it and gain some security?

Adam Boileau drops in, as always, to discuss the week's news headlines.

This week's show is a bit shorter than usual. We'll check in with Adam Boileau to discuss the week's news headlines and catch up with Tenable Network Security CEO Ron Gula in this week's sponsor interview.

Between those two we cover the Playstation Network hack, the kidnapping of Ivan Kaspersky, Microsoft's decision to coordinate the disclosure of vulnerabilities in non-MS products and much, much more!