SSCC 112 - Keyjacking, Facebook and Opera breaches, Apple's WPA passwords [PODCAST]

Filed Under: Apple, Clickjacking, Cryptography, Data loss, Facebook, Featured, Internet Explorer, Podcast, Privacy, Web Browsers

Here you are!

Episode #112 of the Sophos Security Chet Chat podcast.

News, opinion, advice and research: Chet and Duck (Chester Wisniewski and Paul Ducklin) bring you their unique and entertaining combination of all four in their regular quarter-hour programme.

(You can keep up with our podcasts via RSS or iTunes, and catch up on previous Chet Chats and other Sophos podcasts by browsing our podcast archive.)

Listen now:

(03 July 2013, duration 13'47", size 8.3 MBytes)

Download now:

Sophos Security Chet Chat #112 (MP3)

Chet Chat episode 112 shownotes:


When you press a key in your browser window, where does the keystroke end up? What if you think you're typing into the topmost, visible window but your keys are being consumed by a deviously-hidden dialog underneath?

Chet and Duck discuss keyjacking, the keyboard equivalent of clickjacking.

Data breach notifications

Both Opera and Facebook published what Duck calls Dee-Bee-Ens lately - data breach notifications, that is.

You might have been forgiven for thinking they were about breach prevention, which left Chet and Duck confused.

Chet even went as far to hope that we don't end up with regulations about complying with regulations about breach notification.

Apple's WPA passwords

If you use your iPhone or iPad as a Wi-Fi hotspot, it will generate a human-friendly WPA password for you, up to ten letters-and-digits long. That sounds good, but is it?

Chet and Duck discuss recent research which analysed the algorithm used by Apple and found that it's not all about size.

Previous episodes

Don't forget: for a regular Chet Chat fix, follow us via RSS or on iTunes.

, , , , , , , ,

You might like

3 Responses to SSCC 112 - Keyjacking, Facebook and Opera breaches, Apple's WPA passwords [PODCAST]

  1. I recently encrypted my hard drive with MS Bit Locker and use a usb to access. Not clear to me if you are just supposed to use the usb to log in and then remove it, or leave it in. If I leave it in after logging on am I protected or have I left the door open? If I log on and remove the usb will my computer still function? Thanks for any help. I read your Naked Security every day and really love it. I'm 69 and didn't start using a computer until about 8 years ago so I am somewhat dumb when in comes to all the things I missed out on in the days before that. Ron Eskelson

  2. LindaSView · 816 days ago

    I am really concerned with an issue discussed in your podcast about the duty to report. I have found at least two major email server data breaches and the ISP of one, refuses to admit it. I am in Massachusetts and we have the law that consumers are supposed to be notifyed. Also, a large web-based email server was also compromised and nothing is being said about that. In the meantime, the ISP server that was hit, suddenly was routing their stuff through a California server. In the end, hundreds of people, at least from what I got from reading the forum posts(probably thousands or more, actually) noticed they had had their IP addresses changed. Meanwhile, the server that had the breach is now up and running. People were told they had "bots" in both cases, yet ran hundreds of different scans, and nothing was found. Now, it seems all is quiet on that front. Meanwhile, the large web-based email supplier, convinced most users it was their fault and one person I know, had to pay $250.00 to the security guy for this email server as her computer had been compromised as had several of the ISP.

  3. LindaSView · 816 days ago

    Continued from above comment by LindaSView
    When the mime headers and the traces all lead back to what it should when it's legit, the problem with spam as well as personal information being sent out through the person's contacts, came from a server issue more than a "critter" on the computer. Ironically, the breaches began the day before the news about the PRISM program broke. I really feel someone left a door open and the bad guys sauntered in. One top security guy with the ISP I am referring to did admit to a person I know who is somewhat tech security knowledgeable, that it did appear something had happened to one of the servers, but on the forums, no one there will admit it. If we can't honestly communicate and inform, how the heck is the Internet going to be able to continue to be a two-way street? How many end-users are going to needlessly have to fork over hundreds of dollars in not only keeping security software firms lucrative, but also paying for tech support when in fact, many times it's not the end-user, but the supplier. Just some thoughts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog