Security Now 284

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 284

Contents

Security Now 284: Q&A 109

Israel and US teamed up on Stuxnet, global IPv6 test coming, your questions, and more.

Security Updates

  • None!

Security News

3:02 - 5:28

  • New York Times front page story: US and Israel teamed up on Stuxnet
    • The worm was TESTED extensively before release.

5:29 - 9:26

  • First global-scale IPv6 trial set for June 8th
    • Facebook, Google, Yahoo, Akamai, Limelight
    • Dubbed "World IPv6 Day" - both to test and to raise awareness
    • Participants will enable IPv6 on their main services for 24 hours.
    • Google has had "ipv6.google.com" since early 2008

9:27 - 12:20

  • Adobe creating a public API for LSO (Local Stored Object) deletion
    • Mozilla, Google, Apple & Adobe teamed up.
    • Chrome -- within several weeks -- should be the first browser to support the new API

Errata

12:21 - 16:09

  • Verisign now has a blackberry client for its one time password dongle that can be used with eBay / PayPal

16:10 - 17:26

  • SIPRNET should be pronounced Sip-per-net

SpinRite Story

17:27 - 20:54 Tom Leonard (Unknown)


Spinrite fixed a broken harddrive

Questions & Answers

24:48 - 01:24:00

Question [ 01 ] - Rob in Melbourne, Australia notes that NoScript is already adding "Do Not Track" headers to all queries!

24:48 - 32:33

Listener Comment: Just thought I'd drop you a line to let you know that NoScript seems to be adding headers to my HTTP queries regarding web-tracking, specifically 'X-Do-Not-Track' and 'X-Behavioral-Ad-Opt-Out'.

http://hackademix.net/2010/12/28/x-do-not-track-support-in-noscript/


Steve's Comment: These headers are not yet the standard but NoScript has been sending them for just under a month. It is also enabled by default. You can edit the settings by going to about:config and editing the noscript.donottrack.* options. A GUI and finer grain controls are coming soon.


Question [ 02 ] - Jamie in England, UK wonders about IPV4 “Doomsday”

32:34 - 41:17

Question: When you were recently talking about IPv4 address depletion you said that the day we run out of IPV4 addresses would be "doomsday". How can this be the case? Surely all of the equipment we already have on the net will be fine and can continue talking to each other? It's just that no one new will be able to join us. Am I correct? So it is only a mild concern, right?

Could the new clients joining the net not simply go through an IPV4 proxy to talk to the rest of us?


Answer: It is similar to running out of phone numbers. If we run out of IP addresses then everyone who already has once will be fine but no one new will be able to join. It is going to be a mess to move to IPv6 which is why everyone is to reluctant to move. Steve wants to retract his comment though if he called it "Doomsday".


Question [ 03 ] - Tom Zerucha in the Detroit area brings up a good point about SSDs, Encryption, and the TRIM command...

41:18 - 53:11

Question: If the "whole disk" is encrypted in such a way that every sector is marked used, it will increase wear and maybe slow things since it will have to shuffle full blocks.

If only the used sectors are encrypted, then the TRIM command can work to erase blocks for the unused sectors (Windows 7 supports it). This will make it faster and more reliable.


Answer: This issue of TRIM means Steve was incorrect 2 weeks ago. When you write a sector to an SSD it must erase the sectore before it can write it. Due to the physics an SSD can not erase a single sector it must erase a larger block of sectors. If an SSD knew other sectors in the block did not have data in them then it would not have to cache them and replace them after deleting the block of sectors. This is what an SSD controller does. When you delete files the operating system only mark sectors as no longer in use, you don't actually physically erase the data. TRIM tells the drive controller that these certain sectors are now marked as no longer in use and it treats them as having no data there.

So this means that Tom is correct.


Question [ 04 ] - Jamie Hunt in England, UK wonders about Driver Update scanning?

53:12 - 01:00:08

Question: There seem to be millions of sites scattered about the Internet saying that they will scan my PC for outdated drivers. But 95% of these programs seem to be from an unreputable source. My question to you is do you recommend using a program that will scan my PC for outdated drivers and tell me to update? Sort of like Secunia PSI for my drivers? And if so which ones do you recommend?


Answer: It is tempting to update to the latest drivers but updating your drivers offers very few new features. Unless something is broken Steve doesn't see the need to update your drivers. Some hardware manufacturers offer tools to check drivers.


Comment[ 05 ] - Charles Victorian in Houston, Texas wanted to follow up on what he learned about the security of his Frequency Hopping Spread Spectrum (FHSS) video monitors...

01:01:58 - 01:08:06

Listener Comment: Thank you so much for taking on my question about the Lorex Live Snap and its use of FHSS (Frequency Hopping Spread Spectrum) technology!

I was encouraged by your comments on the security which *might* be implemented by the camera system -- enough that I not only opened the one I had already purchased, but I also went out and bought a second system immediately after hearing the podcast so I could do a little "inter-system" testing of my own!

Reading over the User's Guide -- which I previously didn't have access to since I didn't find it online -- explains how to pair up cameras, which immediately gave me hope.

The guide states, "The camera(s) included with the monitor have already been "paired up" with the monitor."

It goes on to explain how to pair up additional cameras since the base system comes with 2 cameras, yet the monitor supports up to 4 cameras.

I won't bore you with all the details of the relatively simple pairing process. However, I will note in particular that it requires you to begin with the camera turned off (the cameras and the monitor each have separate power controls).

Additionally, under the "Tips" section, the guide states that, "The camera and monitor should be around 1 ft. apart during the pair up process."

So, with some confidence gained by your coverage of FHSS on the podcast, and a better understanding of how the product works from reading the included User's Guide, I tore into the second box.

While using a camera and monitor from the first set, I put the second monitor in "pair" mode. It responded with "Pairing" and some symbols indicating to wait for a little while. The process exited with, "No Device Found" even though this monitor was as close as I could get it to the currently broadcasting camera (they were plugged into separate outlets and I didn't have an extension cord handy). Nevertheless, any neighbor, etc. isn't going to be able to get closer than I was without being inside my house. So it is clear that once the camera is paired to a monitor, another stock monitor will not be able to receive that same signal.

It seems like, as in Bluetooth, the pairing process could leave you vulnerable for a few seconds, but then the signal should be locked in. It also seems that you would know if someone hijacked your camera since your monitor would likely say "No Device Found" which would clue you in.

I know that this doesn't address reverse engineering the system or building some sort of separate hacked monitor, but at least it isn't going to be *easy* for someone else to receive my camera's signal.


Steve's Comment: Its great that you have to pair the devices


Comment [ 06 ] - Brian Voeller in USA.Oregon.Medford notes that "Frequency Hopping is not Security"

01:08:07 - 01:11:52

Listener Comment: Regarding Episode 282 and the question about the security of a wireless baby monitor camera that touted frequency hopping as a security mechanism. I wouldn't regard that as effective, particularity in a video transmission context. Being a cheap camera it's probably sending analog NTSC or EIA (low quality version of NTSC) and hopping frequency on the completion of each frame, since the vertical blanking interval would make a convenient opportunity to let the tuner lock onto the next frequency.

Individual frames could be captured by scanning the frequency range slowly. Assuming 256 channels, once you found one of them you would get one frame every 8.5 seconds.


Steve's Comment: Frequency hoping is not security is used to avoid interference


Question [ 07 ] - Bill Boulton in Australia raises a great point about IPv6 Modem Routers...

01:11:53 - 01:15:52

Question: If the world is going to be forced to move to IPv6 by year's end, why are almost no IPv6 capable consumer modem-routers available as yet? There must be well over a hundred different models of various makes on the local market ... of which only THREE have the necessary features!

It seems more than a little strange to me with one group crying "We're running out of IP addresses!" and the manufacturers saying "Huh?"


Answer: Steve agrees and has never seen an IPv6 NAT router


Comment [ 08 ] - Aloke Prasad in Ohio notes that Microsoft disagrees with Steve about swapfiles on SSD drives...

01:15:53 - 01:21:25

Listener Comment:In Security Now # 282 Steve said that it was unwise to use an SSD for the Windows swap file. The following article from Microsoft says otherwise:

http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid- state-drives-and.aspx

[quote] Should the pagefile be placed on SSDs?

Yes. Most pagefile operations are small random reads or larger sequential writes, both of which are types of operations that SSDs handle well.

In looking at telemetry data from thousands of traces and focusing on pagefile reads and writes, we find that

  • Pagefile.sys reads outnumber pagefile.sys writes by about 40 to 1
  • Pagefile.sys read sizes are typically quite small, with 67% less than or

equal to 4 KB, and 88% less than 16 KB.

  • Pagefile.sys writes are relatively large, with 62% greater than or equal to

128 KB and 45% being exactly 1 MB in size.

In fact, given typical pagefile reference patterns and the favorable performance characteristics SSDs have on those patterns, there are few files better than the pagefile to place on an SSD. [/quote]

Steve's Comment: If you are talking about performance you are right. In terms of maximising the life of a drive it is still true that performing lots of writes will wear them out more quickly.


Question [ 09 ] - Jim Sanders in Irvine, California wonders about iPod/iPad solid state hard drives...

01:21:26 - 01:24:00

Question: You've talked about the finite number of write cycles on solid state hard drives which, I presume, includes the array of portable devices like the iPod and iPad.

Given that, should we be thinking about minimizing the number of times we sync the devices? Does syncing the devices with the desktop frequently shorten the lifespan of the SSHD?

Answer: The least robust SSD technology is MLC (Multi Level Cell) The more robust (and expensive) technology is the SLC (Single level cell). However even the MLC technology has a minimum life rating of 10,000 write cycles. If you re wrote the ENTIRE drive daily it would still last 27.397 years.


Sponsors

Astaro

  • Astaro.com or phone 877-4-ASTARO
  • Ad Times: 0:48-1:03 and 20:54-24:21

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.
Personal tools