Security Now 271

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 271

Security Now 271: Your Questions, Steve's Answers #103

Security News

06:16 - 15:42

  • Microsoft discovered that the number of attacks against Java have increased dramatically
  • http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
  • SANS say many of these vulnerabilities are created by flaws in the low-level implementation of the Java Runtime Environment (JRE).
  • "Although Java is intended to be type safe, low- level code sometimes writes user-defined strings to C buffers, giving an attacker the opportunity to overwrite return addresses and execute code."
  • Java exploits now exceed Adobe related exploits
  • The latest Java is v6 update 22

15:43 - 18:29

  • Adobe Reader 10 is due in November and will include Sandboxing turned ON by default
  • "Write Calls" will initially be sandboxed, "Reads" later.

18:30 - 32:24

  • Feedback from Microsoft's MSRT Tool:
  • http://www.microsoft.com/security/sir/keyfindings/default.aspx
  • 450 million PCs worldwide running MSRT and MSE (Microsoft Software Removal Tool & Microsoft Security Essentials)
  • Nearly 1.9 million PCs were infected, some multiple times.
  • US machines experienced 2.16 million bot cleanings (5.2 per 1000 MSRTs)
  • Brazil #2 with 511 thousand (also 5.2 cleanings per 1000 MSRTs)
  • Korea #4 with 423 thousand, but 14.6 cleanings per 1000 MSRTs
  • Overall infection rate: 1.4%
  • Drive-by-Download pages: 3 out of every 10,000 web pages
  • Appeared on about 2 of every 1000 search results pages
  • #1 China (.cn domain) had most infected sites @ 5.8% .cn domains [Steve and Leo suggest that .cn registration is limited to Chinese registrants; there is no such restriction, per [1].
  • #2 & 3, Russia (.ru) and Germany (.de), both with 2.8% domains
  • #4 United Kingdom (.uk) with 1.7% domains
  • Overall, security breach incidences have been on a continual downward trend since 1st half os '08, and are now about half of what they were 2 yrs ago.
  • Overall, the vulnerability counts are also falling since 2nd half of 2006.
  • The top threats are Trojans and Worms.
  • Gaming password stealers (Win32/Taterf & Win32/Frethog) are the 2 most commonly detected malware families.
  • Fake Security Software (Scareware) is one of the most common methods attackers are using to swindle money from victims.

32:25 - 41:52

  • Lower Merion County Pennsylvania School District Settles Webcam Lawsuits:
  • Settlement came after federal authorities announced they would not prosecute the administrators. "Zane David Memeger, the United States Attorney for the Eastern Distract of Pennsylvania said that he found 'no criminal intent' in the alleged surveillance."
  • School district pays $610,000 to settle the lawsuit.
    • The attorneys get $425,000
    • The students get the remaining $185,000
  • School district's insurer, Graphic Arts, agreed to pay $1.2 million in the school district's defense costs.

SpinRite

41:53 - 46:35 David Speinger (Unknown)

Spinrite fixed a broken hard drive

Questions & Answers

50:41 - 01:43:51

Question [ 01 ] - Vegard in Norway wonders about the security of Bluetooth keyboards?

50:41 - 54:22
Question: What about the security on Apple's Bluetooth keyboard? Isn’t anything “Bluetooth” more secure than a simple 8 bit XOR?

Answer: Anything “Bluetooth” is more secure than a simple 8 bit XOR and bluetooth keyboards are secure

Question [ 02 ] - Al Murray in Gainesville Florida wonders about Computrace's LoJack for Laptop security:

54:23 - 01:02:35
Question: What are your thoughts on Computrace and LoJack?

Answer: Steve likes the idea of these products in the BIOS but says that you need to decide if its worth the cost. What they do is ping the computrace servers once a day when the laptop is turned on. If your laptop is lost / stolen computrace can update the location of the laptop every 15 minutes using wifi geolocation and its IP. Computrace can also remotely lockdown the computer or wipe the hard drive

Question [ 03 ] - Krister Jonsson in Lycksele, Sweden wonders about "Anonymous" Web Surveys...

01:02:36 - 01:09:50
Question: I've been asked to fill out surveys and questionnaires at work. The surveys are supposed to be anonymous, but quite often I get a link containing a unique ID so that the person who made the survey can see who finished the survey and who hasn't done it yet. I always ask how I can trust that the survey really is anonymous, and so far the answers I get are along the line "yes, you have a unique ID so I can see if you filled out the survey or not, but I can't connect your answers to you". But they have the list with all the IDs, and they know who got what ID, and it would be very easy for the survey to store the ID with the answers.


To me this feels like playing cards with someone saying "trust me, I don't cheat" while they leave the room to supposedly shuffle the cards.


Is there a way to design a web survey so that the respondents can trust the system, while at the same time those offering the survey, and wanting the results, can know who has answered or not?

Answer: The only way Steve can see to do this anonymously would be to have a public PC that you use to fill out the survey that then gives you a unique ID at the end. You then write your ID down and put it in a hat so then the management can compare the number of ID's in the hat against the number of people you asked to take the survey. To check everyone did it.

Question [ 04 ] - Scot in Seattle worries about the security of his Windows Gadgets...

01:09:51 - 01:12:17
Question: Are there any dangers with Windows Desktop Gadgets? Is it dangerous to download and use a desktop gadget written by someone you don't know and not by an established company who signs their gadget?

Answer: The gadgets are not necessarily secure

Question[ 05 ] - Jason Crow in Rochester, MN wonders about an Evercookie work- around?

01:12:18 - 01:16:33
Question: If I have an image of my OS partition, and I restore that image on a regular basis (say every 3 or 4 days), does Evercookie have a way of working around that and saving its "super-cookies"?


Could Evercookie be storing information on the boot partition, or D: (data) drive? Do you think other tracking schemes could?

Answer: This could certainly happen

Question [ 06 ] - Steven Musumeche in New Orleans, LA wonders about Wireless Keyboard Encryption:

01:21:29 - 01:25:32
Question: I use the Logitech K320 wireless keyboard and they claim that it uses AES- 128 bit encryption. http://www.logitech.com/en-us/for-business/products/keyboards/devices/6528 What do you think?

Answer: Logitech got it right, this product is secure

Question [ 07 ] - David Eckard in Durham, NC wonders about IP Space Depletion... Subject: 95% used up

01:25:33 - 01:41:38
Question: According to this article, http://news.cnet.com/8301-30685_3-20019836-264.html IPv4 addresses are now at 95% used up. They want an orderly move to IPv6.


I still say that there has not been enough work done on the transition. IPv4 devices like my iPod Touch simply can not go to an IPv6 website and vice versa. This requires a translator computer. Translator computers are still in the development stage as can be seen by the various articles we have seen on ComCast in particular working on this very issue. I also expect cell carriers to participate when those come available as 16 million class A addresses are simply NOT enough.


Can you talk about this?

Answer: Steve thinks 2011 will be interesting and we are not ready for ipv6. Ipv6 gives us a crazy amount of IP addresses though. Leo points out that there are university's with unused class a blocks though. Steve thinks the use of NAT will increase.

Question [ 08 ] - Alexandre Garcia in Portugal finds the "evercookie" *NOT* so "ever" !!!!

01:48:39 - 01:43:51
Question: Regarding your last topic, the "evercookie", I just want to remind that sandboxie is perfect for people concerning with this kind of menace. I've visited the site under a sandboxed instance of IE, and let it set the evercookie. Then I've closed the browser and run it again, under sandboxie.


Sure enough the site was able to set the evercookie on my system, of course, inside the sandbox. Then I've just flushed the sandbox and visited the site again, using the same IP. The evercookie site was no longer able to track me at all. Sandboxie was able to prevent that the evercookie could write any info to my "real" system and once again I was happy to be browsing under sandbox. Of course that if evercookie were to store at server side my IP, they could have re-generated the cookies, but at least they were not able to create permanent changes on my computer.

Answer: This is a easy solution to the problem

Sponsors

Go To Assist Express

Astaro

  • Astaro.com, or phone 877-4-ASTARO
  • Ad Times: 1:18-1:32 and 46:36-50:39

Ford Sync

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.