Security Now 298

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 298

Security Now 298: Your Questions, Steve's Answers #116

News & Errata

  • Steve talked about the Oak Ridge National Laboratory's security breech which stemmed from a so-called Advanced Persistent Threat (APT) in the form of an e-mail purportedly from the human resources department which contained a link to malware. Steve and Leo mention the irony in the fact that the U.S. Department of Energy is among the most security-minded branches of the U.S. government.


  • Steve also talked about the security breech of Sony's Playstation Network and Qriocity services, which affected a reported seventy-seven million users. Steve read the following from Sony's website:
...we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip),
country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that
your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password
security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your
dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the
possibility.


  • Steve then read statements from Apple's website regarding the iPhone and iPad 3G storing users location data, claiming the problem was a bug. However, Leo believes it is an attempt to gather information about Wi-Fi hotspots.


  • Federal Trade Commission Chairman Jon Leibowitz says Google is the only "Do Not Track" holdout.



  • Andrew, a listener of the podcast, wrote up a nice review of the Microsoft Safety Scanner, which Steve wished to share on the podcast. That review can be found on Andrew's site (andrewtechhelp.com).


  • Steve was also impressed with a technique called "Disk Drive Steganography"


  • The guys ended the segment mentioning a widget for Windows 7 that counts down to the end of support for Windows XP Service Pack 3, and a clever alternative to the "CAPTCHA" system of bot-control that simply asks a question, like: "What year was the Battle of Hastings?" This system can easily thwart bots but not bother humans much.

Spinrite Story

"Hi, Steve. Last week I brought over my computer to a friend of mine because we were having a LAN party. When I got home later that weekend and booted up my computer, it was extremely slow. It was practically impossible to work with it. It would start up in about 10 minutes, 10 times longer than before, and it would get stuck while performing tasks like opening an application.

"After rebooting the computer a few times, I decided to use my copy of SpinRite. While booting into SpinRite, SpinRite immediately recognized that the drive's SMART subsystem for some reason had been turned off. So SpinRite automatically turned it on. That surprised me. So before proceeding to run SpinRite, I tried booting normally. Bang. Everything was back to normal. I didn't need to run SpinRite. The computer booted up just fine and worked as before. Thanks for a great product."

Topic

Questions & Answers

Question: [ 01 ]


Question:
Chuong Pham wrote saying: "Thanks for providing ShieldsUP! However, I have one question regarding the user specified custom port probe option. Your website shows my port number 58529 as being failed. It's not true stealth. It's open, due to the fact that I've opened this port for uploading data. Now, if I disable outgoing traffic in my router for this port, then I can't upload any data. Would it be possible for you to reevaluate the rules regarding P2P ports? Other P2P apps use different ports from Vuze, so I assume they'll also fail, according to your website scan. Interested in feedback. Kind regards, Chuong Pham.

Answer:
Steve: "...what ShieldsUP! is doing is it's demonstrating that unsolicited packets are able to get into his inner sanctum, essentially, through his router. And I said, it doesn't mean that this is unsafe..."

Leo said, "I would have just said, "Dufus, that's the point of ShieldsUP!, to tell you what ports are open."

Question: [ 02 ]


Question:
Hi, Steve. Love the show. I've been listening for a little over a year now. During that time, until now, I've been able to bite my tongue. But I can't hold back any longer. For the love of all that is holy, why don't you use Linux?

Answer:
Steve: "I like Windows ... I know Windows inside and out."

Leo: "And also you're a Windows developer ... Well, and that's another answer which you've given in the past, which is how am I to talk about Windows security, how am I to be an expert in Windows security, if I don't use Windows?"

Question: [ 03 ]


Question:
Friedrich H. Burkardsmaier asks, "Steve, one of your recent episodes you recommended the use of a virtual keyboard to enter passwords so they can't be intercepted by keystroke loggers. My concern is that passwords could still be intercepted by something called a "form grabber," once the virtual keyboard has been used to fill in the form. I would appreciate it if you could elaborate on this topic. How are form grabbers implemented? Are there effective countermeasures a user can take? Thanks for the excellent software and for the great podcast. I always look forward to listening to every episode."

Answer:
Steve: "So, okay. So what he's saying is that he recognizes that a virtual keyboard, like a keyboard on the screen which you click with the mouse, will avoid a hardware keystroke, and actually hardware and probably software keystroke logger; but that, once you've used that to fill out the form, when you submit the form, there's this possibility that the contents of the form could be grabbed by some malware running in your machine. And he's absolutely right. ... It doesn't get encrypted, of course, until it goes into SSL. So the form contents itself is in the clear. The only thing I could imagine that would solve this would be scripting, which would run in the browser client, which would intercept the Submission button, and that's easy to do in JavaScript, preventing the normal browser behavior. It would then take the data from the form, encrypt it well, and then submit that. So it really needs to be - it needs to be a service provided by the page containing the form that you're submitting.

Question: [ 04 ]


Question:

Answer:

Question: [ 05 ]


Question:

Answer:

Question: [ 06 ]


Question:

Answer:

Question: [ 07 ]


Question:

Answer:

Question: [ 08 ]


Question:

Answer:

Question: [ 09 ]


Question:

Answer:

Question: [ 10 ]


Question:

Answer:

Question: [ 11 ]


Question:

Answer:

Question: [ 12 ]


Question:

Answer:

Notable Quotes

Significant Products

  • Link URL and optional brief description

Sponsors

Netflix

Squarespace

Production Information

  • Edited by: Jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.