Security Now 231

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 231

Security Now 231: Security Omnibus and CES Update

Steve catches up with a mega security update, then gives us some of his favorite (wacky) products from CES.

News & Errata

04:41 - 04:50

04:51 - 09:10

  • Google suffered a cyber attack from China in which there was attempted theft of intellectual property and attempts to break into humans right activists GMAIL accounts
  • So Google will either no longer censor search results in China or leave China

09:11 - 11:40

  • Steve thinks it is important for Leo to always have a clock behind him in recordings and suggests he timestamps all the videos digitally

14:35 - 20:02

  • Microsoft Patch Tuesday
    • OpenType Vulnerability Fixed
    • Critical ONLY for Windows 2000
    • An earlier security update trimmed the max length to 5,000 bytes for NameTable entries, which broke some fonts. It's now restored to 64K
    • No fix for the zero-day flaw in the Server Message Block protocol which it acknowledged in November.

20:03 - 26:34

  • Adobe patched Reader vulnerability that's being actively used in both widespread and targeted attacks.
  • Steve had to ask for it manually and recommends disabling javascript inside of Adobe Reader
  • Adobe is going to put a new "Silent Update" into beta

26:35 - 30:29

  • Mac OS 10.5 & 10.6 vulnerability in string to double precision function proof of concept code has been released
  • Everyone but Apple have already fixed the vulnerability

30:30 - 35:20

  • The full GSM code book has been produced which reverse engineers the effect of the pseudo random number generator
  • In hours you can now decrypt and listen to a conversation which has taken place over a phone using GSM
  • Companies need to move from the A5/1 cipher to A5/3 cipher

35:21 - 37:03

  • Firefox 3.0 has been updated but is no longer going to be updated by Mozilla and users should move to version 3.5

40:00 - 49:13

  • The American Bankers Association recommends businesses use a separate machine for online banking

49:14 - 52:30

  • France's new anti piracy law has come into effect
  • 1st Accusation - eMail notification & warning
  • 2nd Accusation - written notice in the mail
  • 3rd Accusation - appear before a judge for fining and/or account suspension

52:31 - 56:22

  • A six-member bipartisan group formed from leaders of the U.S. House Ways and Means Committee, Energy Committee, and Commerce Committee wrote a formal letter of criticism to the proposed regulation for what's called the Protected Health Information Act, the PHI Act.
  • The language in what they were proposing said that organizations who had a health information breach could decide not to notify patients of that breach if the organization determines that it, quote, "...presents no significant risk of harm."

56:23 - 01:02:40

  • McAfee's Annual Security Predictions Report for 2010:
  • Adobe will surpass Microsoft as hacker target
  • Acrobat Reader and Adobe Flash will be the top targets
  • Banking Trojans will continue to increase in sophistication.
  • Hacking is less and less for play, it's becoming much more about the money
  • Targeted Attacks will increase

01:02:41 - 01:06:15

  • Y2K10 Bugs
  • 30 Million German credit cards stopped working on January 1st 2010
    • A temporary fix was to put tape over the chip
    • A potential fix is to reprogram the chips on the card
  • Windows Mobile users started getting messages dated 2016

01:06:16 - 01:12:30

  • There are three producers of AES 256-bit encrypted drives.
  • Kingston, SanDisk, and Verbatim. The Kingston DataTraveler BlackBox, The SanDisk Cruzer Enterprise FIPS Edition, the Verbatim Corporate Secure FIPS Edition.
  • These devices have all received the FIPS 140-2 Level 2 certificate which validates devices as being secure for use with sensitive government data. * * And they are completely hackable.
  • You use some software that comes with a key, which prompts you for your password. You put your password in. And it does some mumbo jumbo with your password and no matter what your password is it, sends the same key string into the AES-256 cipher engine.
  • There is a firmware update to fix the problem

01:12:31 - 01:15:33

  • Some hackers were able to penetrate the virtualization boundaries in Amazon's Elastic Computing Cloud service and view what was going on, on other peoples servers

01:15:34 - 01:17:28

  • A federal appeals court panel is questioning the Federal Communications Commission's (FCC) authority to impose net neutrality rules on Comcast
  • The providers say they are entitled to seek returns on their investments by offering premium services.

01:17:29 - 01:21:10

  • SANS Top Ten Reasons Computers Don't Have Security:

10. "I just use my computer for email and web browsing."
9. "I've never had any virus problems."
8. "It kept popping up all the time."
7. "It might crash my system."
6. "My subscription kept expiring."
5. "It slows down my system."
4. "I thought it came with the computer."
3. "It's too expensive."
2. "Macs don't need security."
1. "I don't know what to buy or how to install it."

Spinrite Story

01:21:10 - 01:25:05 Michael Nordamrk (Des Moines)

A listener had to present a network he build for his final exam and when he was trying to complete a task set by the teacher got an error message saying the file location was damaged. He ran Spinrite on the domain controller for 45 minutes and it fixed the problem. He was able to complete the task and pass the exam.

Steve's Favourite CES Products

01:28:35 - 01:52:42

01:52:43 - 01:57:44

  • Steve has a new PDP 8 section on his website

Sponsors

Go To Meeting

Sync

Carbonite

  • Carbonite Offer Code: SecurityNow
  • Carbonite
  • Ad Time: 0:57-1:12 and 1:25:07-1:28:31

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.