Security Now 341

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 341

Security Now 341: The Anonymous Threat

News & Errata

  • Steve and Leo talked about coffee in a segment before this episode, see Security Now 341a.
  • A posting has been put on Pastebin stating that the "Anonymous" group intends to take down the internet on March 31st.
    • There is no way to validate the authenticity of this posting.
  • Correction to last week's statement that CA's needed to do a better job with generating prime numbers. The keys are not generated by the CA, they are created by the webmaster of that individual website which makes this problem much more difficult to solve.
    • Another addition to this problem is that by using Euclid's algorithm for finding a greatest common divisor, if one can find two websites that share the same greatest common divisor (common prime), then one can easily crack the private keys of both sites.
  • Google is working on a password management system for Chrome which will be similar to the functionality of LastPass.
  • David Ward suggested a method for giving loved ones access to passwords after one's death. One could use a LastPass account and generate a one-time password which could then be stored in a bank vault for example.
  • Google and three other advertisers have been found to be bypassing Safari's anti-tracking PrivacyCast Article
    • Safari doesn't stop using third-party cookies that it already has stored when third-party cookies are disabled. They must be deleted to stop this behavior.
    • Safari contains a Webkit bug that was fixed seven months ago but has not been merged into Safari where if a form is submitted to a third-party site, the site can attach cookies to the response even if third-party cookies are disabled.
    • By putting a web form in an iframe in an ad, the form can then be submitted using JavaScript to allow cookies to be set. This is the method that Google and other advertisers are using.
  • Google was also found to be using a fake P3P privacy policy to bypass a system in IE that requires this to be present for cookies to be allowed. However, this has become common practice for many websites because Microsoft's P3P technology is "widely non-operational".
  • An interesting site Steve has come along is BuiltWith.com which indexes the technology used by websites and tracks these trends on Trends.BuiltWith.com.
  • Chrome side tabs have been discontinued to the dismay of some users who passionately loved them. Google claims it was removed to keep Chrome lightweight. Google Code Thread

Spinrite Story - Andrew

"Hi, Steve. I'm not a super tech, but I love the podcast for all the great information and news you and Leo provide. To get right to it, I have had a hard drive that apparently died on me about six years ago. Multiple attempts were made to recover the data as it had three years of family photos, including one of my sons' births and two years of his infancy. The only other option I felt I had was to send the drive off and pay a large sum to have the data recovered. I figured maybe in the future someday I could do this, as money was short currently.

I've been a listener for a year now, and I figured, what the heck, let's try it. I purchased SpinRite and began the recovery process. The scan ran for approximately two weeks." And now I'll just remind people, that's like a worst-case scenario. SpinRite will work as long as it has to, to do the recovery. Normally it's two hours. But it can be two weeks if there's, like, lots of extensive damage. And he said, "I assumed 'It's probably not going to work.' When the scan finally finished, I connected it as a secondary drive to my PC. The drive appeared, and the data was now accessible!!!

I immediately copied over all the data. I put together a slide show of our precious photos and ran it. When my wife was passing by the computer and realized what had happened, the biggest smile and streaming tears came to her face. Thank you so much for saving us hundreds, if not thousands of dollars, and making a very memorable moment in our lives."

Topic - The Anonymous Threat

  • Anonymous has previously taken down or breached specific sites
    • They successfully took down the CIA.gov site earlier this month (February 10th)
    • They also breached the "United States Federal Trade Commission's Consumer Protection Business Center" and "National Consumer Protection Week" websites on February 17th replacing them with a violent German video
  • It is the belief of some federal officials that Anonymous is headed in a more disruptive direction such as attacking the power grid.
  • The plan that was announced, dubbed "Operation Global Blackout", on Pastebin states that they intend to take down the Internet on March 31st. See Pastebin
  • To effectively shutdown the Internet, the root DNS servers would need to be to be held offline by means of a DDOS attack for several days.
    • There are 13 root DNS IP addresses for the servers, known as the A to M root servers
    • There are significantly more servers than 13 however because they use a system called anycast to route traffic to the closest server that matches the IP address which is requested.
    • Since the only way to get to any particular server is to be physically close to it, in order to hold all the root servers offline, one would need to DDOS all 13 IP's from every possible physical location

Significant Products

  • The Consent of the Networked: The Worldwide Struggle for Internet Freedom book Amazon Store

Sponsors

Ford SYNC

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.