SSCC 113 – Another Android hole, Tumblr forgets encryption, Nintendo under attack [PODCAST]

News, opinion, advice and research: Chet and Duck (Chester Wisniewski and Paul Ducklin) bring you their unique and entertaining combination of all four in their regular quarter-hour programme.

Chester’s been on the road, so this epsiode of the Chet Chat is a couple of days late for logistical reasons.

We apologise for that, but Chet and Duck think it’s no less interesting nevertheless!

In fact, this week’s main story – the two-in-a-row exploits against Android code verification – intrigued your presenters so much that they resolved to link up and record this show, come what may.

And so, here it is: SSCC Episode #113.

(You can keep up with our podcasts via RSS or iTunes, and catch up on previous Chet Chats and other Sophos podcasts by browsing our podcast archive.)

Listen now:

(19 July 2013, duration 14’41”, size 8.8 MBytes)

Download now:

Sophos Security Chet Chat #113 (MP3)

Chet Chat episode 113 shownotes:

Android code validation holes

The news wires have been buzzing with the “master keys” attack, and the “extra field” attack, both of which let you create Android Package files (APKs) that show one set of content to Google’s cryptographic verification, and another to the installer.

Chet and Duck explain what happened, come up with some ideas that would have avoided the problem in the first place, explain what to do about it, and wonder how long before the fixes are on your handset.

Tumblr leaves the S out of HTTPS

From Android to iOS, where Tumblr published a version of its app that somehow managed to leave out the part that encrypts your PII before sending it over the internet.

Chet wonders how the average user is supposed to spot that sort of bug.

Nintendo in month-long password crack

Nintendo got pounded by crackers who mounted a month-long password guessing attack.

The crooks only got hold of 24,000 passwords as a result (only!), and it looks as though those successes were largely down to using dictionaries of usernames and passwords from earlier hacks.

What to do? Federated identity? Password managers? A slimmer digital lifestyle?

Chet and Duck discuss the pros and cons of various ways to address the problem of password re-use.

Announcing the next #sophospuzzle – at BlackHat 2013

And Chet’s going to be at BlackHat 2013, and at DEF CON, so be sure to look him up in Vegas and say, “Hi.”

Duck won’t be there in body but you will find him present in mind and spirit, as he’s putting together a special #sophospuzzle for the occasion.

The puzzle will go up on Naked Security, so everyone can have a go, but BlackHatters can enter at Sophos’s booth at the trade show and win a secret prize!

(It’s a cool secret prize, which Duck lets slip in the podcast, and Chester bemoans being ineligible to win.)

Previous episodes

Don’t forget: for a regular Chet Chat fix, follow us via RSS or on iTunes.