Chester’s been on the road, so this epsiode of the Chet Chat is a couple of days late for logistical reasons.
We apologise for that, but Chet and Duck think it’s no less interesting nevertheless!
In fact, this week’s main story – the two-in-a-row exploits against Android code verification – intrigued your presenters so much that they resolved to link up and record this show, come what may.
And so, here it is: SSCC Episode #113.
(19 July 2013, duration 14’41”, size 8.8 MBytes)
Chet Chat episode 113 shownotes:
Android code validation holes
The news wires have been buzzing with the “master keys” attack, and the “extra field” attack, both of which let you create Android Package files (APKs) that show one set of content to Google’s cryptographic verification, and another to the installer.
Chet and Duck explain what happened, come up with some ideas that would have avoided the problem in the first place, explain what to do about it, and wonder how long before the fixes are on your handset.
Tumblr leaves the S out of HTTPS
From Android to iOS, where Tumblr published a version of its app that somehow managed to leave out the part that encrypts your PII before sending it over the internet.
Chet wonders how the average user is supposed to spot that sort of bug.
Nintendo in month-long password crack
Nintendo got pounded by crackers who mounted a month-long password guessing attack.
The crooks only got hold of 24,000 passwords as a result (only!), and it looks as though those successes were largely down to using dictionaries of usernames and passwords from earlier hacks.
What to do? Federated identity? Password managers? A slimmer digital lifestyle?
Chet and Duck discuss the pros and cons of various ways to address the problem of password re-use.
Announcing the next #sophospuzzle – at BlackHat 2013
And Chet’s going to be at BlackHat 2013, and at DEF CON, so be sure to look him up in Vegas and say, “Hi.”
Duck won’t be there in body but you will find him present in mind and spirit, as he’s putting together a special #sophospuzzle for the occasion.
The puzzle will go up on Naked Security, so everyone can have a go, but BlackHatters can enter at Sophos’s booth at the trade show and win a secret prize!
(It’s a cool secret prize, which Duck lets slip in the podcast, and Chester bemoans being ineligible to win.)