Security Now 208

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 208

Security Now 208: Listener Feedback 72

News & Errata

11:41 - 16:00

  • The iPhone has been patched to fix the SMS vulnerability

16:01 - 20:36

  • Firefox 3 and 3.5 have been updated
  • It fixes a heap buffer overflow
  • It also fixes a vulnerability where Javascript can be used to replace a URL and make it seem like you are on a secure site where you actually on a phishing site

20:37 - 21:26

  • Bind v9 has been updated

21:27 - 24:00

  • Adobe have dropped there quarterly updating schedule to update a bad problem in flash player

24:01 - 26:53

  • In a survey 55% of people ignored warnings that a security certificate has expired

26:54 - 28:35

  • A fake ATM was found at the DEFCON conference

28:36 - 33:25

  • The Windows 7 RTM build has a massive memory leak when you use checkdisk against a secondary drive

33:26 - 37:41

  • Michael McCollum has finished the first draft of Gibraltar Stars

37:42 - 38:26

  • Sony is releasing a pocket e book reader for $199 with a 5" screen

38:29 - 38:55

  • Apple is reportedly working on a tablet PC

38:56 - 40:37

  • It's a toy, puzzle, beautiful thing Here

Spinrite Story

40:38 - 44:55 Juan Guevara Torres (Unknown)

A listener was in line at a computer store and the couple in front of him had a problem with there hard drive. The employee told them it would cost $299 to try and recover the data. So he stepped in and asked if the store was going to use Spinrite, they told him they were so the listener told the couple they could buy the software for $90. They took his advice and brought Spinrite and it fixed their harddrive.

Questions & Answers

Question: [ 01 ]

50:07 - 01:01:18 Brian Mooney (Springdale, Arkansas) & Frylock (Unknown)
Question: Can you explain the new SSL exploit to do with how browsers processes null characters ?

Answer:

  • A computer will process a string until it hits a zero byte or a null character.
  • A hacker could purchase a certificate for www.paypal.com[null].mymaliciousdomain.com
  • Then if they were being a man in the middle you could send them to their version of PayPal and supply the browser with the certificate for www.paypal.com[null].mymaliciousdomain.com
  • Currently most browsers would stop processing the certificate at www.paypal.com[null] as it thinks it is the end of the string so to the browser it would appear as a valid security certificate for PayPal

Question: [ 02 ]

01:01:19 - 01:04:42 Andrew H. (Texas) & David Horwitz (Denver, Colorado)
Question: Microsoft Security essentials will not be free for commercial use and what is your opinion of the product, and when will it be available without the beta label?

Answer: Reports are suggesting that it is very accurate in finding viruses and will be out of BETA later in 2009

Question: [ 03 ]

01:04:43 - 01:13:30 Phil (Los Angeles)
Question: What are the security implications of tethering your mobile device to your laptop and using it for an internet connection.

Answer: The encryption being used for digital cellular connections has been broken also there may be security implications if your ISP puts you behind a NAT router. If you are going to use it then ensure you are behind a firewall and are using SSL to carry out sensitive transactions.

Question: [ 04 ]

01:13:31 - 01:21:21 John Jones (Wirral, U.K.)
Question: When I use GMAIL I force it to always use HTTPS. However after reading my emails it changes from green to red saying that "this page is only partially encrypted". What is going on is my connection encrypted or not?

Answer: It is likely that your emails are being encrypted but other assets such as images contained in the email are not encrypted. It is unlikely to be something you need to be concerned about.

Question: [ 05 ]

01:21:22 - 01:31:00 Ryan (New York)
Question: My new router has an option to use WPA-PSK [TKIP] + WPA2-PSK [AES] how does this work? Also how do I get my parents to use better passwords?

Answer: This allows clients to connect using either method and can be used as it doesn't really pose any security threat. Its hard to make your parents use better passwords but you could try and compromise with them and get them to use one stronger passwords on all there websites. Leo suggests using a bookmarklet which uses one master password to generate secure passwords for all your websites. Link

Comment: [ 06 ]

01:31:01 - 01:33:41 D Kevin Ghadyani (Overland Park, Kansas)
Listener Comment: Thank you for reading my comment out and I will include your explanation when covering your site on Mine.

Steve's Comment: This is a good lead into the next question

Comment: [ 07 ]

01:33:42 - 01:34:51 David Johnston (Sydney, Australia)
Listener Comment: Thank you for talking about HTML validation and explaining to people that if you want your site to work on all browsers your code probably wont validate I have the same issues.

Steve's Comment: It makes me feel better to know other people are having similar issues

Comment: [ 08 ]

01:34:52 - 01:38:17 Kendall Bailey (Des Moines, Iowa)
Listener Comment: I use Google Checkout to buy from www.buy.com and haven't had any of the issues relating to the web loyalty programs.

Steve's Comment: Using a service like this or PayPal is a great way to buy things online

Question: [ 09 ]

01:38:18 - 01:43:19 Matt Ridley (Appleton, Wisconsin)
Question: Last episode you said you don't understand why we can't be proactive and take these bad computer clusters down. However you reprimanded the BBC for buying a botnet and telling the users there PC had been infected. Am I missing something?

Answer: They were talking about how the laws need to change as there are lots of laws making life harder for the white hats and the black hats just do what ever they want to.

Comment: [ 10 ]

01:43:20 - 01:46:16 Justin Lowmaster (Oregon)
Listener Comment: I purchased some tickets from Fandango and was tricked by the web loyalty program. However I rang them up and the charge was refunded

Steve's Comment: Its important to check your credit card statements

Question: [ 11 ]

01:46:17 - 01:51:15 Dan (Walpole, Massachusetts)
Question: My parents keep getting trojans even though they are using anti virus software and using automatic updates what else can I do to protect them?

Answer: You can help protect your parents against their own bad habits but maybe get them to change their email client from Outlook

Question: [ 12 ]

01:51:16 - 01:55:41 David Stephens (Bloomington, Indiana)
Question: Can a VPN be used to transport a virus?

Answer: Yes it could but you could use multiple routers to segment a network.

Question: [ 13 ]

01:55:42 - 02:01:57 Dave Schuh (Maple Grove, Minnesota)
Question: Could you keep us updated on your Vitamin D research?

Answer: The next episode will be all about my research

Sponsors

Audible

Picks

Audibledotcom.png
The Winds of Dune by Brian Herbert, Kevin J. Anderson (UNABRIDGED)
Narrated by Scott Brick
  • Ad Time: 0:36-0:47 and 6:42-11:31

GoToMyPC

Production Information

  • Recorded Date: August 5, 2009
  • Release Date: August 6, 2009
  • Duration: 2:03:04
  • Log line:
  • Edited by: Tony
  • Notes:
  • Leo didn't say "72" in the open. He ok'ed the show without show # in the open.
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.