SSCC 70 – Patch Tuesday, insulin pump hacking, Android patching, ChromeOS hacking, archiving our digital past

Sophos Security Chet Chat logoVanja Svajcer from SophosLabs Croatia joined me this week to discuss the presentations we were able to attend at this year’s Black Hat and DEFCON security conferences in Las Vegas, Nevada.

This Tuesday was the monthly patch day for Microsoft and Adobe, as usual, I briefly highlighted the most important updates for August.

Vanja and I attended some sessions together and others independently and we shared our thoughts from the most interesting of the sessions we were able to attend.

We began by discussing research into the security of Google’s recently released ChromeOS. Vanja pointed out how hacking ChromeOS is less about the operating system and much more about how you can take advantage of flaws in the Chrome browser itself.

Both of us had the pleasure of seeing Moxie Marlinspike speak at DEFCON on SSL insecurity and his proposed solutions. We both appreciated the in-depth look Marlinspike presented and found his proposed solution, Convergence, an interesting way of solving the authenticity problem.

Android logoVanja attended a session by the team from Lookout Security about the patch life cycle on the Android OS.

The Lookout team reviewed the average time from discovery of a vulnerability until when Google provided a patch, then looked at the average amount of time each OEM took to integrate that patch into their Android distribution for each handset, and how long each carrier took to make that available to their customers.

I discussed my thoughts on the research done by Jay Radcliffe on hacking insulin pumps through their RF interface.

Radcliffe uncovered some rather disturbing findings as to the security implemented to protect users of these devices which will hopefully spur on the manufacturers to improve their implementations in future devices.

The last talk we discussed was given by Jason Scott on the work of archiveteam.org whose slogan is “We are going to rescue your sh*t”. Scott talked about what Archive Team does, why they do it and he presented his case with a lot of panache.

(11 August 2011, duration 23:42 minutes, size 16.3 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 70 or subscribe to our RSS.



An open letter to Facebook about safety and privacy

Facebook and padlockDear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security