SSCC 93 – Flame, LinkedIn, FISA, Patch Tuesday, border snooping and the BlueHat prize

Sophos Security Chet Chat

Sophos Security Chet Chat logoThis week brought another pleasant surprise when Michael Argast from Telus phoned me and asked if I needed a guest for the Chet Chat. I did and Michael made some time to stop by the Chet Chat studio to discuss the week’s news.

We started out by discussing the password foibles of LinkedIn, EHarmony and Unsalted password hashes are very bad practice, considering your mobile phone not only salts your password hash, but does thousands of rounds to ensure brute forcing is difficult.

Research by Kaspersky this week all but confirmed the fact that the Flame malware appears to be of the same origin as Stuxnet. That is to say it appears to originate from the United States and Israel.

It was nice to talk about something positive regarding privacy this week. US Senator Ron Wyden is temporarily blocking the FISA Amendment Act, the US legislation that authorized warrantless wiretapping designed to spy on domestic communications.

Michael brought up a parallel story from Canada where MP Vic Toews has called for a privacy impact assessment of microphones that were placed at airports to listen in on peoples conversations while waiting to enter Canada. This appears to be a case of closing the stable door after the horse has bolted, but I suppose it’s better late then never.

On the preventative security front Michael and I talked about Microsoft’s announcement of the three finalists for its new BlueHat Prize. All three finalists devised methods to thwart Return Oriented Programming (ROP) attacks against Microsoft Windows.

We concluded this week’s talk by emphasizing the extremely important updates released in this month’s Patch Tuesday. In addition to the critical fixes for IE and RDP we are seeing a zero-day flaw in MS XML being exploited in the wild, users are advised to apply Microsoft’s FixIt.

(21 June 2012, duration 21:14 minutes, size 12.8 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 93, subscribe on iTunes or our RSS feed. You can see all of the Sophos Podcasts by visiting our archive.