Security Now 308
Recorded: July 6, 2011
Published: July 6, 2011
Security Now 308: Q&A 121
- SecurEnvoy applauds LulzSec attacks
- DropBox security & privacy updates, storage management by storing duplicate files among ALL users only once.
- DropShip, a tool that can replace BitTorrent by transferring files using DropBox using the duplicate file hack of DropBox. It injects a file into a user account, without having or uploading it, by inject the hashes of the file into the account, making it as if it was there already. The tool was made in march, and later DropBox fixed the issue and it is not valid anymore.
- Microsoft acquires a patent on how to eavesdrop on p2p VOIP system, specifically Skype.
- a website "Is My Credit Card Stolen", to check if you credit card is stolen or not (DON'T ENTER YOU CREDIT CARD NUMBER !!!), it is just an IQ test for how much user understand security.
Attacks & Breaches
- Sony has been hacked, for the 20th+ time, Sony Music Ireland, some fake news were posted (News article).
- Apple Business Intelligence website has been hacked by Anonymous (News article)
- HybridAuth, an open source web-based authentication and authorisation solution that combines the strengths of several major social networks and Identity Providers services into one simple PHP Library, that any web site developer can use to let users authenticate with account they already have instead of having to register.
- Steve's re-review of the Certificate Patrol addon for Firefox.
- Powerline frequency drifting from 60Hz (AP article)
- Smoke alarms remote control
- Google Gmail + filters
- Steve's Book Pick: Daemon by Daniel Suarez
Tivo HDD fixed with SpinRite
Questions & Answers
Question: [ 01 ] Using a CDFS filesystem on a USB stick, is it safe?
It is possible to burn a CDFS (CD File System) ISO onto a USB stick, the final result is a Read-Only usb stick. The OS will present to any running software a read only device, and any write access to the device will be denied by the OS. the only vulnerability is that the USB stick is a read/write device: a program can unmount the device, get read/write access to it and change the CD image content by adding/removing files, but they don't exist yet. Having a hardware write-protect switch on the USB stick is safer, but it is cool, and can protect against normal malware.
Question: [ 02 ] Adobe Shockwave Player is really necessary?
Don't install it unless you **really** need it. Old games used to use it, but not anymore. And it is worst than Flash Player because it has less attention.
Question: [ 03 ] Tip: iPhone/iPad passwords, turn-off simple passcode to get a complete Qwerty password instead of a 4 numeric passcode
Question: [ 04 ] Why is all personal data not encrypted on company computers and not just passwords? is it technical or what?
In early computer days security was not very important, and now it continued like this. Unless there is a law to force it, with penalties, then everybody will use it. Passwords are stored as hashes because we don't need to unhash it, to check the password it is hashed and compared to the stored hash. While for email and other personal data hashing can't be used because the data is needed in the clear, and hashes are one-way. Encryption is the one to be used for the rest of the personal data.
Question: [ 05 ] What will Steve do after Windows XP support ends in 3 years? Will Win7 be good in 3 years? And what is the background Star Trek sounds?
1006 Days left for Windows XP support, Steve is already running Windows 7 on his tablet, a side computer, and few others, and he is so happy with it, in 3 years Windows 7 will be great :)
Star Trek noises that Steve's has in the background are found here: http://www.stdimension.org/MediaLib/computere.htm High quality, purified Star Trek sounds.
Question: [ 06 ] Blizzard's new authentication: They don't ask the number each time you access, but they claim to do some checks to validate the user, but they don't say what they really do, is it imaginary or what?
Question: [ 07 ] Blizzard used to check location of user, and locked the account if the user accesses from an unexpected location, recently they changed policy: no details about new methods (location/mac address, etc), is it weakening or strengthening?
To protect the users accounts, Blizzard implemented the token security, but there were Man-in-the-middle attacks against it (EMcore.dll infections), this dll would intercept in real time the username/password and currently display from the authenticator and ship it to somewhere bad where it is immediately used, the good user will get an error while the other person logs in and empty the account.
Blizzard implemented a hybrid approach, only ask for the pin when the data changes, like a different location or IP. The other method can be anything: certificate, MAC address, cookie, hard drive serial number, and many others. They just don't say what they do. The Hybrid approach makes sense in this case.
Question: [ 08 ] Topic of the week: Are we losing the forest for the trees? Prefer hanging with friends than using Facebook, face-to-face in the bank than online, prefers sitting in front of a slide projector than a Facebook album, etc. Is it correct to move everything to the internet?
- Link URL and optional brief description
- Edited by: TechEngineer
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|