Security Now 286

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 286

Security Now 110: Your Questions, Steve's Answers #110

News & Errata

3:36 - 12:04

  • A new flaw has been found in Internet Explorer
  • Its in the MHTML module which allows you to save an entire webpage as a single file
  • Microsoft has a fix it http://www.support.microsoft.com/kb/250169
  • It can be exploited through cross site scripting

12:05 - 14:14

  • Opera 11.01 has been released to fix various security problems

14:25 - 16:47

  • Android 2.2 had a known data disclosure vulnerability
  • If you visited a malicious site in the default browser it could get access to your phones SD card
  • Google fixed it
  • A way around Googles fix has been found in Android 2.3
  • Google are working on fixing it
  • You can disable javascript or use a different browser in the mean time

16:48 - 22:19

  • Source Forge was hacked
  • A malicious SSH daemon had gotten onto there server and was logging passwords
  • They are now auditing the code

22:20 - 33:12

  • Steve wants to remind people that all of the IP addresses being given out does not mean they are all in use

33:13 - 35:14

  • The new Connecticut Atourney General has settled with Google over the collection of wifi data

35:15 - 43:18

  • Computer World reported that Intel have new technology that will stop 0 day attacks

43:19 - 46:12

  • Facebook have now rolled out the option for users to use SSL for the entire site


Spinrite Story

46:13 - 49:39 Lee (Unknown)

Spinrite fixed a broken hard drive


Questions & Answers

Question: [ 01 ]

51:05 - 57:51 Ben (Atlanta)

Question: Is using XOR for encryption good or bad ?

Answer: XOR is fine as long as the key you are XOR'ing against is random and you don't re use it. Encryption relying solely on XOR is vulnerable to a known plain text attack though.

Question: [ 02 ]

57:52 - 1:02:17 Chris
Question: The Beef TACO addon for firefox lets you opt out of tracking cookies

Answer: There are claims version 3 has become bloat ware and you should stick with version 2

Question: [ 03 ]

1:02:18 - 1:08:49 Luke
Question: Could NAT help with the IP v4 problem ?

Answer: NAT uses port numbers to differentiate between the traffic coming back, there are only 2^16 possible port numbers so it wouldn't work on a very large scale. It would also break some services for people who need to allow unsolicited traffic through. But this could work.

Question: [ 04 ]

1:08:50 - 1:13:26 Steven
Question: Can I use a long random SSID and a smaller password on WPA to avoid having to type a long password in?

Answer: For WPA the password and SSID are merged together and then hashed 4,096 times. However anyone can view your SSID even if you turn broadcasting off so this would not provide any added security

Question: [ 05 ]

1:13:27 - 1:15:20
Question: TRIM is supported in Linux and BSD

Answer: This is true

Question: [ 06 ]

1:15:21 - 1:20:55
Question: Using a software based OTP solution the secret token could be easily compromised compared to a hardware device

Answer: The software solution could be more easily compromised but it still provides a lot of extra security

Question: [ 07 ]

1:20:56 - 1:24:57
Question: My router was limiting my download speed to 15 mb/s I upgraded to an Astaro Gateway and I got 90 mb/s

Answer: Home routers are typically built with the cheapest technology available

Question: [ 08 ]

1:24:58 - 1:29:37
Question: Does Microsofts black list tracking opt out prevent side channel privacy leakage ?

Answer: Yes

Question: [ 09 ]

1:29:38 - 1:32:54
Question: My will router stop being a NAT router if I upgrade the firmware to support IPv6 ?

Answer: Steve doesn't know

Sponsors

Mail Route

  • Ad Time: 49:40 - 50:56

Production Information

  • Edited by: Jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.