Once again Paul Ducklin joined me for this week’s Chet Chat, the last one I was able to record before heading off to InfoSec Europe.
Mac malware has a been a major topic for the last couple of weeks and Paul and I try to get past the FUD and explain what is really happening to OS X users. Emotions run deep when it comes to Mac threats, but it would be foolish to ignore them.
Apple also seems to be addressing phishing attacks against Apple ID’s (iTunes accounts) by introducing knowledge-based authentication. Paul and I discuss the benefits and risks associated with Apple’s approach.
Paul also explained the reasoning behind the $25,000 fine imposed on Google by the FTC related to their gathering of unencrypted WiFi data.
(17 April 2012, duration 16:52 minutes, size 12.2 MBytes)
You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 88, subscribe on iTunes or our RSS feed. You can see all of the Sophos Podcasts by visiting our archive.
This Knowledge-based Authentication makes the account security weaker. Where did you go to school? All I have to do is dig, and if the person isn't a random target, I can get a lot of information to aid in the attack. What's the name of your pet? Check Facebook for a start. I just did that last week for somebody. I didn't know the name of the dog, but Facebook let me find it in five minutes. Favorite teacher? Again, nothing that isn't already known to somebody, and possibly the Internet because the information was put on Facebook or any number of other sites.
User passwords are also not secure, because a good attack will go after the administrative system and bypass all user passwords. It's happened on Facebook, and I know it's happened elsewhere. Centralized security is not a good plan. It's like having the most secure car keys that can't be copied, but there's a set of master keys that open and start every car. All I have to do is compromise the master key, and all of the individual owners' keys are compromised.
That is a horrible intro for a several reasons: (1) no one under 25 knows what that (2) incredibly annoying sound is! I haven’t used a modem for 2 decades, and I will never miss that sound.
I know the first thing I like to do when listening to a podcast is jump for the volume knob to save my ears/speakers/SO’s sleep cycle… you get the idea.