Security Now 222

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 222

Security Now 222: Your Questions, Steve's Answers 79

News & Errata

03:50 - 05:30

  • Someone has created a Vitamin D iPhone application based on Steve's podcast
  • It is called 'Vitamin D Listen and Learn'

10:38 - 14:55

  • As well as installing a speech application demo on Steve's computer the Adobe updater installed a toolbar in Internet Explorer
  • Adobe Shockwave has 5 critical vulnerabilities and users should update to v11.5.2.602

14:56 - 16:15

  • The Java runtime environment has multiple vulnerabilities but no update is available

16:16 - 20:47

  • France was proposing a law where if you are accused of illegal firesharing 3 time you get banned from the internet
  • However the EU is trying to create a unified law and it appears that this will no longer be the case and their will be a more pro user policy
  • Their is also a treaty called the ACTA treaty which is being negotiated in secret that would apply to the entire world that does propose the three strikes policy
  • You can read more about it Here

20:48 - 21:37

  • This patch Tuesday their were:
    • 3 Critical updates
    • 3 Important updates

21:38 - 23:27

  • Leopard and Snow Leopard were updated
  • Apple have released no details about what the updates do
  • But it breaks support for Intel Atom processors

23:28 - 26:47

  • Their is an iPhone worm in the wild called 'iKee'
  • It works by attempting to connect to the SSH service on jailbroken iPhones by using the default username and password

26:48 - 28:34

  • Their is a session renegotiation hack in the latest version of SSL
  • It is possible for a man in the middle to attack an SSL connection and insert their own transactions

28:35 - 29:52

  • Their are PDF and Powerpoint files of John Cummings javascript presentations available on Steve's website

Spinrite Story

29:53 - 34:20 Cody Krieger (Unknown)

A listener used a pirated copy of software to fix a few of his hard drives and then purchased a copy from Steve

Questions & Answers

36:35 - 01:40:10

Question: [ 01 ]

36:35 - 41:56 Mike (Baltimore, Maryland)
Question: Is it more secure to change my SSH port every day rather than leave it alone ?

Answer: Steve isn't a fan of this idea. He recommends using a really secure password instead and disabling the service unless you need it

Question: [ 02 ]

41:57 - 53:53 Dana Rae Park (Kelseyville, California)
Question: When I access the 2701HG-B Gateway System Summary through my browser, there is a Firewall icon which tells me, "The firewall actively blocks access of unwanted activity from the Internet." Am I behind two firewalls, one on the router and one on XP? The Summary also says "Your system software is current. Check back for future available upgrades." I don't know what the 2701HG-B gateway is. Do routers phone home for updates like XP? Am I safe? Am I practising safe computing?

Answer: You are behind two firewalls. Routers do sometimes require updates and not all of them automatically download updates.

Comment: [ 03 ]

53:54 - 01:05:02 Andrew DeFaria (Tempe, Arizona)
Listener Comment: Here are some tips to secure SSH: 1) Use a preshared key rather than a username and password. 2) I use a perl script to automatically email the upstream provider of anyone who tries to brute force the password. 3) Shadow all log files to another location and then compare the two logs to detect any modifications which would indicate a break in

Answer: 1) Using a preshared key is a great idea but, 2) The automated email thing is a bad idea, 3) If your computer is compromised the bad guy could modify both log files

Question: [ 04 ]

01:05:03 - 01:12:15 Duane McElvain (Chicago, Illinois)
Question: You said that if every website used SSL throughout the whole site then it would put a large load on the server. However you later said that some sites now used a 2048 bit key as processing power is so great it doesn't matter

Answer: It used to put a lot of stress on servers to use SSL but now with improvements in technology and modifications to the protocol it puts less stress on the servers

Comment: [ 05 ]

01:12:16 - 01:18:16 Jason M. (San Diego)
Listener Comment: You said that public keys normally expire in about 3 years, this may be true of the certificate but not the key

Steve's Comment: This is correct, normally on windows the keys are automatically changed though

Comment: [ 06 ]

01:18:17 - 01:23:32 Paul Wilde (Bristol, UK)
Listener Comment: My bank forces you to use a big, fat, ugly calculator type device to generate a pin when you want to use their website. This means I have to take it with me if I want to use my banks website which is annoying.

Steve's Comment: Steve agrees that security shouldn't annoy the user too much and companies need to strike balance between security and ease of use.

Comment: [ 07 ]

01:23:32 - 01:33:20 Jason (Rochester, Minnesota)
Listener Comment: If someone is watching your traffic then they could determine what your port knocking sequence is. It would be better to use something like the PayPal football to pseudo randomly generate the ports that need to be knocked.

Steve's Comment: Steve is not a fan of port knocking as packets can arrive out of order but this is a good idea

Biometric Abuse Story of the Week: [ 08 ]

01:33:21 - 01:40:10 Michael OConnor (Oswego, Illinois)
Story: His bank insisted that he gave them his fingerprints before cashing a cheque

Steve's Response: Steve is against casual disclosure of biometric data

Significant Products

Sponsors

Ford Sync

Go To My PC

Production Information

  • Edited by: Tony
  • Notes: Leo has problems with the camera.
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.