SSCC 108 – WW2 crypto, Bitcoin mining, internet cameras, password breaches [PODCAST]

For your listening pleasure, here’s the latest episode in our popular “Chet Chat” series.

Senior Security Advisor Chester Wisniewski discusses the latest security news with regular guest Duck (Paul Ducklin).

The pair turn their unique blend of insight, expertise and scepticism on recent events in the computer security world.

(If this is your first time listening to the Chet Chat: episodes come out every two weeks, and usually last about a quarter of an hour. That makes the Chet Chat podcast ideal for your daily commute or for a spot of lunchtime listening. There’s an archive of previous Chet Chats and other Sophos podcasts – you can also get our podcasts via RSS or iTunes.)

Chet Chat episode 108 shownotes:

• British cryptographic derring-do during World War Two

Chester and Duck look back on a “by-hand” steganographic system used by British PoWs during the Second World War to hide secret messages in letters home. Amazingly, researchers at Plymouth University just tried their hand at decoding the letters of a certain Sub Lieutenant John Pryor, and found that the system had worked fine!

Duck points out that hiding one message openly inside another is much more difficult that you might think, so he’s running a small contest for listeners and readers to try their hand at prison-camp crypto!

Write a short but believable paragraph that hides Duck’s 15-word secret message and you could win a Naked Security T-shirt.

• Network gaming company hides Bitcoin miner in anti-cheat tool

Chester expresses incredulity (but not, perhaps, surprise) at the news that a North American online games company shipped a secret Bitcoin miner inside its client software.

Duck reminds us that this story is particularly ironic since the only reason for the client software in the first place was to stop gamers cheating each other. Somehow the rules didn’t seen to extend to the company not cheating its customers out of GPU power.

• Internet cameras under the security lens once again

Duck laments some of the vulnerabilities found by researchers at Core Security in popular internet cameras. From hard-coded passwords, through directory traversal vulnerabilities to completely open access to the video stream, these holes don’t just affect security, but privacy, too.

Chester explains the method he uses to ensure he doesn’t forget about security patches and firmware updates for his home devices, but both Chet and Duck doubt that embedded devices in the workplace get patched as they should.

• Yet more very public password breaches

Chester asks where logon security is headed after the recent high-profile hacks at Associated Press and LivingSocial. He wonders whether salting and hashing passwords is really the panacea people seem to assume.

Duck agrees, pointing out his suspicion that “don’t worry, I hashed the passwords” is turning into a excuse for data breaches, rather than simply being treated as part of defence in depth.

• Signing off

Chester is too modest to mention it, so Duck chimes in at the end to brag tothank our listeners and readers for their help in steering Naked Security to win a pair of awards. Chester collected them in person while he was at Infosecurity Europe in London.

Catch up with Chet Chats and other podcasts

(08 May 2013, duration 14’24”, size 8.7 MBytes)

You can download the Sophos Security Chet Chat podcast episode 108 directly in MP3 format.

And why not take a look at the back-catalogue of Sophos Podcasts in our archive? We have loads of interesting stuff for your listening pleasure.