Security Now 369

Security Now Episode 369

Hosts: Leo Laporte and Steve Gibson Topic: Internet Identity Update Recorded: September 11, 2012 Published: September 11, 2012 Duration: 1:44:02 Transcript Previous episode – Next episode

Contents 1 Security Now 369: Internet Identity Update 1.1 News & Errata 1.2 Spinrite Story 1.3 Topic 2 Notable Quotes 3 Significant Products 4 Sponsors 4.1 Audible 4.1.1 Picks 4.2 Other Sponsor 5 Production Information

Security Now 369: Internet Identity Update

News & Errata

Microsoft 2nd Tuesday of the month updates (9/11/12):

• Two "important" privilege escalation vulnerabilities.
• Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 released.
• Updates for Windows Server applications:
  • Microsoft Systems Management Server 2003 Service Pack 3
  • Microsoft System Center Configuration Manager 2007 Service Pack 2

Apple updated Java on Mac OS X.

• Apple released Java SE 6 Update 35 (1.6.0_35) for Mac OS X on September 4th.

Massive GoDaddy outage on Monday 9/10

• GoDaddy's services experienced expected downtime, lasting from 10am PDT to 4pm PDT on Monday 9/10.
  • During this time godaddy.com and couponpuppet.com, may have not resolved in DNS.
  • GoDaddy released a statement on the issue earlier today (9/11).
    • GoDaddy claims the issue was not caused by a DDoS attack and was not caused by external sources.
    • No customer data was leaked, this was not a hack.

Apache and Do Not Track:

• The Apache HTTP Server will be suppressing the "do not track" header, if the client identifies itself as Internet Explorer 10.

UUID Leakage:

• David Schuetz (aka @darthnull & http://darthnull.org/)
  • Examined the data, crunched it through filters, looked for dups, saw a pattern.
  • Data was leaked from an app developer and not an FBI laptop.

UPEK Fingerprint Logon:

• User passwords are lightly obscured and stored in the system registry.
• People who have purchased devices Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC,

Sager, Samsung, Sony, and Toshiba may find UPEK on their machines.

• Fingerprint authentication (EFS) is designed to be unbreakable. Unless of course you use UPEK's biometric.

Spinrite Story

James Lewis writes about how SpinRite got him a free TiVo. He writes "I was skeptical SpinRite even worked. I figured it was worth giving a shot for 89 bucks. I've been using my Series 1 TiVo for years. My friend had one of those fancy Humax Series 2 with DVD burners. One day it wouldn't reboot for him, so he gave it to me for free. SpinRite spent a couple of hours on the drive, and when it was done I had a Series 2 TiVo. Thank you."

Topic

Internet Identity Update:

• OATH is the internet standard for event or time based code generation.
• OAUTH provides permission management background autonomous data sharing inside of an application.
• OAUTH asks the user for the other service they wish to authenticate against.
  • For example: "Login Using Facebook" / "Login Using Twitter"
• OpenID: A user visiting website website A authenticates to site A by using login information for site B.
  • OpenID first asks the user for their "universal ID".

Notable Quotes

Significant Products

• Link URL and optional brief description

Sponsors

Audible

• Audible URL

Picks

TBD by TBD (ABRIDGED/UNABRIDGED) Narrated by TBD

Other Sponsor

• Link URL

Production Information

• Edited by:
• Notes:

This area is for use by TWiT staff only. Please do not add or edit any content within this section.