Risky Business Podcast

On this week's show we're chatting with security researcher Charlie Miller about the work he's been doing with Chris Valasek on hacking cars. It's fun stuff, but yeah, it might make you want to go back to driving an older car.

This week's show is sponsored by BugCrowd. We've got a great interview with BugCrowd founder and CEO Casey Ellis about a really, really interesting little case study he went through involving a random bug-hunter who'd tried blackmailing a BugCrowd client. The solution they came up with was ingenious and spectacularly lulzy.

This week's show is brought to you by Adobe! Big thanks to Adobe for making this week's show possible.

And we've got an... err... *interesting* program for you this week... we'll be chatting with Andrew Auernheimer, aka weev, about the recent appeal victory that saw him out of prison after 14 months inside. Is he going to pull his head in after his scrape with the law?

He says no way!

Also this week we chat with Wade Baker of Verizon Business Security Solutions about the latest Verizon Data Breach Investigation Report and the nine attack patterns they've observed from 10 years of breach data.

Adam Boileau, as always, pops in to discuss the week's news headlines. Show notes are here.

It's a four day week this week and a four day next week so I'm afraid I couldn't organise feature interviews for both, so this week you're getting an extra long news section and a sponsor interview!

This week's show is brought to you by Senetas, makers of fine, fine layer 2 encryption gear. If you're planning a greenfields network you have absolutely no excuse to not check out their stuff, it rocks like a banana on its back. This week we're joined by Senetas CEO Andrew Wilson in the sponsor slot. He'll be talking about a privacy act readiness survey Senetas did that yielded some genuinely depressing results.

He also compares director-level attitudes to infosec to director-level attitudes to occupational health and safety issues 50 years ago. It's a really, really interesting take so do stick around for that.

Show notes are here.

This week's feature guest is the man with the Midas touch -- former McAfee president and current FireEye CEO Dave DeWalt. This is the guy who sold McAfee to Intel for $7.8 billion dollars, so I chat to him about a whole bunch of topics, from his thoughts on how Intel has handled that deal, through to Snowden, to the security business overall. It's a great chat with one of the most interesting executives in this whole industry.

Also this week we chat with Marcus Ranum who's in the sponsor chair on behalf of Tenable Network Security. He's along this week to look back on his very popular 2005 blog post "The six dumbest ideas in computer security". Are they still dumb? Unsurprisingly they are, but the landscape has shifted a bit. That's a great chat and it's coming up later.

Adam Boileau joins the program to discuss the Heartbleed bug and some other infosec news from the last week.

Show notes are here.

On this week's show we're taking a look at the Target/Trustwave suit. A couple of banks were suing Target and its alleged security auditor Trustwave over the massive credit card data breach last year. That suit has been withdrawn, possibly temporarily, and another has been filed on behalf of some other banks. We speak with former New York assistant DA and infosec law specialist Dave Stampley about these types of suits. Do they have legs?

This week we welcome a new sponsor -- Rapid7.

Rapid7 is launching an interesting campaign right now to try to fix the Computer Fraud and Abuse Act (CFAA) in America. They say it's stifling research. Rapid7's global security strategist Trey Ford joins the show to fill us in on that.

As news regulars Adam Boileau and The Grugq are both in Singapore for Syscan and probably nursing cripping hangovers, this week we're joined by a special guest in the news chair, Christopher Hoff. Hoff is the Vice President of Strategy for Juniper Networks' security business unit, but you may know him as Beaker on Twitter.

This week's feature interview is with nmap creator Gordon Lyon, who's probably better known by his handle: Fyodor.

Last week we brought you the news that the Full Disclosure mailing list was shuttered following legal threats from someone describing themselves as a security researcher. Fyodor runs the seclists.org mailing list archive and he's decided to bring FD back from the dead. I got him on the line and asked him why.

This week's show is brought to you by Bridgepoint -- a Queensland-based company that does all sorts of stuff -- systems integration, pen testing and PCI. With the G20 coming up we chat with the company's principal security consultant Michael Trott about the preparations underway. When the world shines its spotlight on Brisbane in November boy oh boy, everyone with a gripe is going to be trying to deface pretty much every website with the word "Queensland" on it. That's coming up soon.

Adam Boileau, as always, joins us to discuss the week's security news headlines.

Show notes are here.

On this week's show we're taking a look at some absolutely awesome research by Azimuth Security's Tarjei Mandt on the pseudo random number generators used by iOS 6 and 7. Tarjei has figured out a way to blow away iOS's memory mitigations with some very cool tricks.

This week's show is sponsored by Tenable Network Security, and this week we're joined by Carlos Perez, Tenable's Director of Reverse Engineering in the sponsor slot. He heard last week's interview all about using PowerShell as a post exploitation tool, and as it turns out, he's one of the leading experts out there on using PowerShell to do sneaky stuff. So he'll be along to pretty much pick up where we left off last week. More PowerShell! That's this week's sponsor interview.

Adam Boileau, as usual, joins us for the week's news headlines.

Show notes are here.

On this week's show we have a look at PowerShell, the Microsoft sorta scripting language admin thingy. As it turns out, PowerShell can be an attacker's best friend when it comes to lateral movement through a network. We'll chat with Kieran Jacobson about that in this week's feature interview. He did a cracker presentation at CrikeyCon where he demo'd owning a domain controller and dumping all its creds with something like five lines of PowerShell. I mean, there are caveats there, but wow... the demotime was food for thought.

This week's show is sponsored by HackLabs. HackLabs head honcho Chris Gatford joins the program in this week's sponsor interview to have a yarn about the upcoming great XP switch of 2014. Ditching XP in your environment shouldn't be a supreme challenge, but what about specialist devices? Like the heart monitor that you can't patch but needs to be networked so you can know Mr. Jones in 14F is about to have a heart attack? Yeah, that'd be one of those intractable problems. Yay.

It's a solid week for BitCoin news. The (maybe) outing of the elusive Satoshi Nakamoto, the MtGox mystery, dead exchanges and even, unfortunately, a suicide of a former BitCoin exchange CEO in Singapore.

But there's been plenty of other news! Apple's gotofail bug, GnuTLS issues, more NTP amplification attacks, and of course YahooWebcamGate. You can find links to the news items discussed in this week's show here.

There's also a stack of interviews in this week's podcast, including a bunch recorded in San Francisco last week. The run sheet looks like this:

\t- The Grugq discussing the news headlines of the last two weeks
\t- Marcus Ranum on the RSA trade floor discourse
\t- RSA CEO Art Coviello on the NSA controversy
\t- ACLU principal technologist Chris Soghoian
\t- RSA Chief Architect Robert Griffin
\t- Jack Daniel of Tenable Network Security (sponsor interview) on the "Threat Intelligence" buzzword craze

This week we chat with a local consultant, Mark Brand of Datacom TSS, about the general topic of authentication. We've seen some interesting cases of things going wrong with auth on consumer sources lately. The @n Twitter username hijacking, the Matt Honan disaster of 2012.

Now Google's run off and bought SlickLogin, a novel approach to mobile app auth. Will that get us anywhere? And what about NameCoin -- a BitCoin protocol-derived peer-to-peer authentication scheme? I'd never heard of it, but the concept is fascinating. Mark pops by to fill us in.

This week's show is brought to you by Senetas. In this week's sponsor interview we're chatting with Senetas CTO Julian Fay about some work they've been doing on their Ethernet products. As it turns out, variable frame sizes can give up too much info to an attacker, so they've worked on some neat new tech that basically forces their stuff to send fixed length frames and make sure everything stays random.

Adam Boileau pops by as usual to chat about the week's security news. Show notes, including links, are here.