Security Now 232

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 232

Security Now 232: Your Questions, Steve's Answers 84

News & Errata

07:45 - 17:50

  • Steve recommends anyone that who doesn't use Internet Explorer as their main browser does the following:
  • Launch Internet Explorer
  • Under internet options
  • Go to the bottom line "Internet Options"
  • Choose the security tab
  • Set both the internet zone and local intranet zone security to "High"
  • Set trusted sites zone to default level
  • Add "*.windowsupdate.com" and "*.microsoft.com" to the trusted sites
  • This will mean that internet explorer will ONLY work on Microsoft's website and Windows Update's site

17:51 - 19:58

  • GMAIL now enforces HTTPS connections by default
  • Google say this is due to an increase in use of free open wifi hotspots
  • Hotmail and Yahoo mail do not do this

19:59 - 21:35

  • A researcher claims to have found code used in the Google cyber attack that is used in China

21:36 - 22:52

  • Microsoft are releasing an out of cycle update to fix the problem in internet explorer that was used to attack Google

22:53 - 28:46

  • The IETF has ratified the fix for the SSL renegotiation vulnerability
  • In order not to break poorly implemented but widely distributed existing SSL it requires that the extra information for securing renegotiation be stuck in as a fake cipher
  • No one has implemented it yet though (as of January 20, 2010)

28:47 - 33:05

  • Steve received an email claiming to be from the manager of UPS from service@ups.com
  • It was full of grammatical and spelling errors as well as a tracking number that was obviously fake
  • Attached was an executable file that they claimed to be a invoice
  • This is a common attempt to infect users computer and it is obvious just from reading it that it is fake

01:42:57 - 01:44:20

  • Next week Security Now will be recorded on Tuesday, January 26, 2010, at 11:00 a.m. Pacific, 2:00 p.m. Eastern as Leo will be at Apples event on the Wednesday

Spinrite Story

33:06 - 36:40 Dan Collins (Unknown)

A listener used Spinrite to fix his grandmothers 'picture computer'. He also notes that spinrite wouldn't boot from a 16gb memory stick but would from a 512mb memory stick.

Questions & Answers

Question: [ 01 ]

39:40 - 46:39 Walt Houser (Potomac, Maryland)
Question: Is their a ISO for a live CD tailored for online banking ?

Answer: Their is no live CD specifically tailored for online banking but you could use; Ubuntu or go to Distro Watch to get a list of Linux versions.

Comment: [ 02 ]

46:40 - 48:29 Bella Vista (Arkansas)
Listener Comment: I just wanted to thank you both for a fantastic show. I, too, have never missed listening to Security Now!. Not only do I get my computer security needs met, I also get my fix for great science fiction books to read. This Christmas I downloaded the electronic versions of "Gibraltar Earth," "[Gibraltar] Sun," and "[Gibraltar] Stars." I'm halfway through "Gibraltar Sun" and couldn't be happier with the series. After I finish with "Gibraltar Stars," I plan on getting "The Mote in God's Eye," another recommendation of yours. Keep up the good work on both fronts.

Steve's Comment: Steve wants to remind people about the Gibraltar series

Question: [ 03 ]

48:30 - 54:16 Josh H. (Mississippi)
Question: Is it possible to encrypt data that is in RAM ?

Answer: You could perhaps do it in theory but it is not practical and most people do not need to worry about having their data in RAM stolen

Question: [ 04 ]

54:17 - 01:07:15 Derek Bailey (Ohio)
Question: Do you have any advice for a struggling IT guy seeking to work without the degree but plenty of credentials? Maybe how you were able to attain such positions at such a young age. Any advice would be much appreciated

Answer: Steve used to work for free at the places he wanted to get a job at and then after he had shown them what he could do they would offer him a job. He also recommends choosing something you enjoy and becoming really really good at it so you become on of the best people in that area. Steve is also sceptical about qualifications as the best guy he has ever hired was a hobbyist still in high school. Leo and Steve both agree that passion is important

Question: [ 05 ]

01:07:16 - 01:17:48 Anon (San Miguel de Allende, Guanajuato, Mexico)
Question: I am trying to log into my router but I cant get the password from my ISP, so I have some questions is there any way to reset the modem to the default password, or is the device effectively bricked? Two, is there any way to determine the real IP address or addresses of the DNS server I'm using when the router reports a local address? Three, if I manually configure my preferred DNS servers in Windows, does this take precedence over the DNS entries served up by the router; and, if so, is this the way everyone should deal with routers that are managing DNS queries?

Answer: Steve is not an expert on your specific router but without the password he can not see how to reset the router. You could determine the IP address of your DNS servers by using packet sniffing. You can configure the DNS servers in Windows and it does take precedence over the DNS entries in your router.

Question: [ 06 ]

01:17:49 - 01:23:29 Giovanni Martinez (Toa Alta, Puerto Rico)
Question: I visited Shadowserver.org, and it is great. But when I wanted to subscribe to the mailing list, it took me to mail.shadowserver.org/mailman/listinfo/shadowserver, et cetera, and then I got a certificate error. Is it safe to trust this website ?

Answer: The problem is the certificate is self signed so you know that you have a secure connection but you do not get authentication that the site you are on is, who they say they are. But it's probably safe to proceed.

Question: [ 07 ]

01:23:30 - 01:29:25 Neil Ellis (U.K.)
Question: What are your recommendations for books ?

Answer: Freedom by Daniel Suarez and Daemon by Daniel Suarez

Question: [ 08 ]

01:29:26 - 01:35:27 Rick Lim (Surrey, British Columbia)
Question: How do we tell a cheap non-EV cert from a trustworthy non-EV cert? and what cert fields are significant?

Answer: EV certs are "Extended Validation Certificates" that turn the bar green when you visit the site. To get one of these you need to go to greater lengths to prove your identity to the registrar. To tell who signed it follow the certificate chain back to the root and then ensure it is a reputable company.

Private Browsing Tip of the Week: [ 09 ]

01:35:28 - 01:38:51 Andy Goldbaum (Warwick, New York)
Tip: I discovered that when using Firefox in Private Browsing Mode or when you clear recent history, NoScript retains the website address of any site you said okay to in the whitelist tab. Adobe Flash also continues to store Flash cookies in Private Browsing Mode, as well. So if you want to browse the web privately, at least as far as your own computer is concerned, you also need to delete the NoScript whitelist entry and Flash cookies.

Steve's Comment: This is a good point

Keyboard Cleaning Tip of the Week: [ 10 ]

01:38:52 - 01:41:58 Laslo Huhtala (Sweden)
Tip: pry the key caps off. Stick the key caps in one of those bags people use for cleaning their delicates and throw the bag in the washer. The washing bag keeps everything together. Of course you want to avoid aggressive cleaning agents and high heat. Your ordinary liquid washing agent is fine. He uses the hand wash temperature setting up to regular temperatures, but not over 40 Celsius. You can actually also stick cables, for example, detachable keyboard cables, in the same bag and wash those. Works like a charm.

Make darn sure you've fully dried that before you plug that cable back in. No wet cables.

Steve's Comment: This is a good tip

Sponsors

Go To Meeting

Audible

Picks

Audibledotcom.png
Freedom (TM) by Daniel Suarez (UNABRIDGED)
Narrated by Jeff Gurner
Audibledotcom.png
Daemon by Daniel Suarez (UNABRIDGED)
Narrated by Jeff Gurner

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.