Security Now 206

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 206

Security Now 206: Security News Updates

A lot of security news transpired during the three previous weeks since Steve and Leo last recorded live. So instead of the regularly scheduled Q&A episode (which is moved to next week) today they catch up with this week's "mega security news update".

News & Errata

05:15 - 08:30

  • The Economist is now available on the kindle
  • Barnes and Nobles are entering the ebook market and are going to compete with Amazon and the Kindle
  • Plastic logic has a competing technology to E ink which is a flexible plastic sheet which displays monochrome images.
  • It's E Reader will also have a touch screen

08:31 - 10:34

  • Steve will be conducting vitamin D research on himself to determine if the sun really produces vitamin D
  • 30 minutes of sun exposure generates about 10,000 IU of Vitamin D.
  • Supplements contain 400 IU which is the RDA

10:35 - 12:48

  • Steve takes the Kindle 2 with him because it is more convenient and whilst the DX's screen is magnificent its too big

16:50 - 19:35

  • The new version of the Yubi Key can fucntion as a one time password generator and a static password generator at the same time
  • There is a special discount for Security Now listeners
  • Use the coupon code "SecurityNow" for 40% off
  • It will only cost $15 per key instead of $25
  • Yubico

Spinrite Story

32:15 - 35:00 Brad Schick (Unknown)

A users computer locked up and he had to shut it down by removing the power. It wouldn't reboot so he ran Spinrite on it and in 17 minutes it had finished and fixed the problem.

Security News Updates

19:50 - 23:37

  • Patch Tuesday, 3 critical 3 important
  • Microsoft expect exploits for all vulnerabilities addressed
  • A zero day remote code execution was fixed
  • There were two patches in what they call the Embedded Open Type Font Engine, EOT which was exploitable from a website or email.
  • The publisher problem was fixed
  • There is a video ActiveX control where Microsoft has told people just to set the kill bit as it hasn't been patched yet

23:58 - 28:32

  • Firefox 3.5 had a critical memory corruption flaw in its Just-in-Time JavaScript compiler that is fixed in 3.5.1
  • Firefox 3 had an update which fixed:
    • A crash and remote code execution problem using scalable vector graphics
    • A heap integer overflow in its font glyph rendering libraries
    • A problem with Flash player unloading that was able to cause a remote code execution when the Flash player was done
    • A crash that had evidence of memory corruption

28:33 - 30:45

  • Google Chrome had an update due to a heap based buffer overflow vulnerability
  • It also had a problem where a site could cause the browser to crash and inject malicious code
  • Google also updated its JavaScript engine and gears

30:36 - 32:00

  • Safari has been updated to fix two flaws
  • A cross site scripting flaw and a memory corruption issue

40:56 - 47:35

  • Blackhat is on the 25th - 30th July
  • A remote execution vulnerability is being shown in the iPhone SMS handling
  • Your phone can be taken over just by opening a text
  • This started out by being able to crash the phone

46:36 - 52:07

  • There is a zero day exploit for a ActiveX control for Microsoft's Office web components
  • There is no patch available and you should set the killbit for this control by visiting Microsofts Site

52:08 - 54:40

  • BT and Talk Talk have dropped Phorm causing Phorms stock price to fall by more than 50%

54:41 - 01:00:00

  • Amazon deleted all copies of "Animal Farm" and "1984" from Kindles as it was made available for sale illegally
  • Amazon have said they wont do it again

01:00:01 - 01:02:20

  • Older versions of McAfee's antivirus software wrongly identified critical windows files as a worm and caused computers to be unable to boot

01:02:21 - 01:10:03

  • The USA and North Korea suffered Distributed Denial of Service Attacks (DDOS)
  • A Vietnam research organization found the command-and-control servers and tracked them back estimated that 177,000 infected machines were used in the attack
  • The U.S. Treasury Department, the Transportation Department, and the FTC all had their websites briefly taken down for various lengths of time
  • It was set to self destruct on July 10th 2009
  • Before destroying it self it would encrypt any of the users documents and then delete the master boot record so the computer couldn't boot
  • Bach Khoa Internet Security, tracked down eight command-and-control servers and then tracked down the single master server which was spreading its control out to those eight.

01:10:04 - 01:14:30

  • The Global Gaming Factory brought Pirate Bay for 60 million kronor
  • They say that it'll be a subscription service so that end-users will have to pay some sort of monthly fee for access to the site.
  • But if the users allow their machines to be used, and they also refer to if the users submit content, then they'll receive reimbursement for that and a reduction of the monthly fees.
  • Kazza also say they intend to do something similar

01:14:31 - 01:18:26

  • The the Messaging Anti-Abuse Working Group, MAAWG have put out a report titled A Look at Consumers' Awareness of Email Security and Practices.
  • There Website
  • A sample of 800 computer users was taken in North America when asked about spam:
  • 30% accidentally clicked on a link or were curious
  • 12% were actually interested in the advertised product or service
  • 8% said they did not believe it was likely that their computers would be infected with malware and recruited for use in sending spam.
  • The report can be read Here

01:18:27 - 01:22:04

  • At a conference in Estonia discussing cyber warfare two unnamed U.S. government officials said that they believe it is time to start creating policy in the U.S. that would allow for offensive cyber attacks.

01:22:05 - 01:27:20

  • A group at Stanford will also be showing some very distressing news this weekend at the Black Hat conference.
  • They tested 21 different devices from 16 different manufacturers, these are web-enabled gizmos - webcams, printers, network switches, photo frames, VoIP phones, remote management tools.
  • There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.
  • The Stanford University Web Security Laboratory white paper that Steve referenced should be published on the Stanford Web Security Laboratory page Here after the Black Hat conference presentation.
  • In the meantime, there is a link provided by one of the authors of the study, Hristo Bojinov, to an article in The Register about their web interface work Here.

Notable Quotes

51:24
Leo: "It strikes me this is the most depressing show in history."

01:01:47
Leo: (Of Microsoft Security Essentials[1]) "McAfee and Symantec and everybody else are going to have to think of a new business." ... Steve: "... It'll be the first AV that I ever run, and I'll recommend it to everyone-- unless there are any downsides that we learn about."

Significant Products

16:50 - 19:35
Steve announced a special offer for Security Now subscribers from Yubico. Use the coupon code "SecurityNow" (without quotes) at checkout and you can purchase up to nine Yubikeys for 40% off until the end of July. The sale price is $15, down from $25. Yubico.com link : [2]

Sponsors

Astaro

Ad Times: 0:36-0:47 and 13:28-16:38

GoToMyPC

  • Go To My PC
  • Q209-5
  • Ad Times: 0:48-1:01 and 37:58-40:42

Production Information

  • Recorded Date: July 22, 2009
  • Release Date: July 23, 2009
  • Duration: 1:30:09
  • Log line:
  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.