SSCC 107 - Hostgator, Safari, Java, pwning planes with Android, and Facebook Home [PODCAST]

Filed Under: Android, Apple, Apple Safari, Facebook, Featured, Java, Law & order, Malware, Podcast, Security threats

For your listening pleasure, here's the latest episode in our popular "Chet Chat" series.

Senior Security Advisor Chester Wisniewski discusses the latest security news with regular guest Duck (Paul Ducklin).

The pair turn their unique blend of insight, expertise and scepticism on recent events in the computer security world.

At a tidy quarter-hour in length, the Chet Chat is ideal for your daily commute or for a spot of lunchtime listening!

Listen now:

(23 April 2013, duration 13:56 minutes, size 8.4 MBytes)

Download now:

Sophos Security Chet Chat #107 (MP3)

Chet Chat episode 107 shownotes:

Last week Chester was in Boston, so we offered our condolences to the people of that city, and made some choice remarks about what we thought of the scammers who leapt on the stories so quickly to try to add computer injury to physical and emotional pain.

• Hostgator hacked, poetic justice served

Hostgator, a Texas server hosting comany, was hacked by an insider who made off with an SSH key and allegedly set about stealing data after getting fired. We noted the poetic justice of how investigators dealt with the intruder when they spotted a him in the middle of a hack, and were able to use his TCP session "in reverse" to catch him. They came up with enough evidence of wrongdoing to lead to his arrest. Hostgator had kept the sort of logs that made the investigation possible, and we were of the opinion that you should do the same.

• Safari updated with more safety for Java

Apple updated Safari with an "allow/deny" dialog for Java applets. We weren't 100% happy with a solution that requires yet more technically-informed decision making by users in real time, but we pointed out that it's a better middle ground than just having Java on or off. Many Naked Security readers have shared their pain at wanting to throw Java out of their browser but being unable to do so for unavoidable legacy reasons.

• Can an Android app crash a plane?

A presentation at the Hack In The Box conference in Amsterdam about the security of in-flight control software on commercial aircraft got lots of publicity recently. We reminded you that the claims you may have heard implying that almost anyone with an Android phone could overpower a plane at will aren't quite the conclusions you should draw.

• Facebook Home and "Cover Feed"

We discussed the "Cover Feed" parts of the new Facebook Home offering, which is a replacement for the lock screen that effectively leaves your phone in a partially-unlocked state in which other people's Facebook posts pop up even if you're not there. Not only that, but you - or someone near your phone - can Like those posts without unlocking the device. We aren't convinced this is a good idea, and we thought you should stick to the leanest, meanest, cleanest lock screen you can tolerate.

• Stop by and meet the team

Finally, since Chester's in London right now, he invited anyone attending this week's Infosecurity Europe in Earls Court to stop by at the Sophos booth and say, "G'day!"

Catch up with Chet Chats and other podcasts

(23 April 2013, duration 13:56 minutes, size 8.4 MBytes)

You can download the Sophos Security Chet Chat podcast episode 107 directly in MP3 format.

And why not take a look at the back-catalogue of Sophos Podcasts in our archive? We have loads of interesting stuff for your listening pleasure.

, , , , , , , , , , , , , , , , ,

You might like

2 Responses to SSCC 107 - Hostgator, Safari, Java, pwning planes with Android, and Facebook Home [PODCAST]

  1. Timothy Gaywood · 496 days ago

    I have used the function in the opera web browser which asks you to enable any type of plugin on every website. I use java for one online game which is soon creating a html5 version so I will soon be able to disable the web plugin and just use java for minecraft standalone applet. On another note I updated java on one of my lesser used machines and one of the messages told me that installing java 7 would uninstall java 6 for me. I cannot believe it has taken this long for oracle to remove old insecure versions of java.
    For quite a long time abobe has removed older versions of reader when you install the new one.

    I have worked on tons of systems for my customers which have java 5 and multiple versions of java 6.I feel that major oems are not helping by installing all these applications which may or may not be needed by their customers.

    • Paul Ducklin · 496 days ago

      IIRC (at least on OS X) only the most recently-installed browser plugin will be used, so if you update from 1.6 to 1.7, say (Apple-to-Oracle version or Oracle-to-Oracle version) you will by default use the latest plugin with the latest Java Runtime in your browser.
      http://javatester.org/ will tell you what plugin version , if any, is the one that will be activated when you visit an applet...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog